Malware Analysis Report

2024-09-23 11:55

Sample ID 240612-svgtzazejg
Target 2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil
SHA256 a8e4d28bdc0eb1f642059ada096afc4d63c874f949f63d0386e92acae798d43b
Tags
bootkit discovery persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a8e4d28bdc0eb1f642059ada096afc4d63c874f949f63d0386e92acae798d43b

Threat Level: Known bad

The file 2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil was found to be: Known bad.

Malicious Activity Summary

bootkit discovery persistence spyware stealer

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Downloads MZ/PE file

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Checks for any installed AV software in registry

Writes to the Master Boot Record (MBR)

Checks installed software on the system

Checks system information in the registry

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Modifies data under HKEY_USERS

Uses Volume Shadow Copy WMI provider

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

Modifies system certificate store

Checks processor information in registry

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-12 15:26

Signatures

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 15:26

Reported

2024-06-12 15:29

Platform

win7-20240611-en

Max time kernel

151s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe"

Signatures

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\system32\dllhost.exe N/A
N/A N/A C:\Windows\ehome\ehRecvr.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\DllHost.exe N/A
N/A N/A C:\Windows\ehome\ehsched.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
N/A N/A C:\Windows\system32\IEEtwCollector.exe N/A
N/A N/A C:\Windows\system32\DllHost.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
N/A N/A C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\System32\msdtc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE N/A
N/A N/A C:\Windows\SysWow64\perfhost.exe N/A
N/A N/A C:\Windows\system32\locator.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\System32\snmptrap.exe N/A
N/A N/A C:\Windows\System32\vds.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\system32\vssvc.exe N/A
N/A N/A C:\Windows\system32\wbengine.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\system32\wbem\WmiApSrv.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
N/A N/A C:\Windows\system32\SearchIndexer.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Software\Wow6432Node\AVAST Software\Avast C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Key opened \REGISTRY\MACHINE\Software\Wow6432Node\Avira\Antivirus C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\system32\SearchProtocolHost.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\60a03b688ab55808.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\ehome\ehsched.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{959BB25A-F142-4186-9E76-840953322F6E}.crmlog C:\Windows\system32\dllhost.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Windows\System32\alg.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehRecvr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehRecvr.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{959BB25A-F142-4186-9E76-840953322F6E}.crmlog C:\Windows\system32\dllhost.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehsched.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SNTSearch.dll,-505 = "Sticky Notes" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204 = "Services" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\FXSRESM.dll,-115 = "Send and receive faxes or scan pictures and documents." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\DVD Maker\DVDMaker.exe,-61403 = "Windows DVD Maker" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\ehome\ehres.dll,-116 = "Opens your home entertainment option for digital and on-demand media, including TV, movies, music and pictures." C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\SearchIndexer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Filemgmt.dll,-602 = "Starts, stops, and configures Windows services." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10021 = "Performance Monitor" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10061 = "Spider Solitaire" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place is an educational and entertaining game that comprises three distinct games that help teach colors, shapes and pattern recognition." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10054 = "Chess Titans" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10058 = "Purble Place" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10209 = "More Games from Microsoft" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\Explorer.exe,-312 = "Play and manage games on your computer." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10030 = "Resource Monitor" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\syncCenter.dll,-3001 = "Sync files between your computer and network folders" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SoundRecorder.exe,-100 = "Sound Recorder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-101 = "Event Viewer" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" C:\Windows\ehome\ehRec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555 = "Windows Speech Recognition" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\rstrui.exe,-100 = "System Restore" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20 = "Windows Firewall with Advanced Security" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001 = "iSCSI Initiator" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\ehome\ehRecvr.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wucltux.dll,-1 = "Windows Update" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32" C:\Windows\ehome\ehRec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10060 = "Solitaire" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10305 = "Hearts is a trick-based card game in which the goal is to get rid of cards while avoiding points. The player with the lowest number of points wins." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\MdSched.exe,-4002 = "Check your computer for memory problems." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000800a4a19ddbcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291 = "Math Input Panel" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10309 = "Solitaire is the classic, single-player card game. The aim is to collect all the cards in runs of alternating red and black suit colors, from ace through king." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591 = "Windows Easy Transfer Reports" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10103 = "Internet Spades" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msra.exe,-100 = "Windows Remote Assistance" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020de7c27ddbcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\System\wab32res.dll,-4602 = "Contact file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10301 = "Enjoy the classic strategy game of Backgammon. Compete against players online and race to be the first to remove all your playing pieces from the board." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\recdisc.exe,-2001 = "Creates a disc you can use to access system recovery options." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\ehome\ehres.dll,-100 = "Windows Media Center" C:\Windows\system32\SearchProtocolHost.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Windows\ehome\ehRec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\DllHost.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ehome\ehRec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: 33 N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\eHome\EhTray.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1920 wrote to memory of 2348 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 2348 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 2348 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 2348 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 264 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 264 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 264 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 264 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 1232 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 1232 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 1232 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 1232 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 920 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 920 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 920 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 920 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 2672 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\system32\SearchIndexer.exe
PID 1920 wrote to memory of 2672 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\system32\SearchIndexer.exe
PID 1920 wrote to memory of 2672 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\system32\SearchIndexer.exe
PID 1920 wrote to memory of 2672 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\system32\SearchIndexer.exe
PID 1920 wrote to memory of 2816 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 2816 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 2816 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 2816 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 2408 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 2408 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 2408 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 2408 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 2828 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 2828 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 2828 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 2828 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 2592 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 2592 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 2592 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 2592 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 3012 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 3012 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 3012 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 3012 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 1556 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 2672 wrote to memory of 1556 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 2672 wrote to memory of 1556 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 1920 wrote to memory of 288 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 288 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 288 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 288 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2672 wrote to memory of 1480 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 2672 wrote to memory of 1480 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 2672 wrote to memory of 1480 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 1920 wrote to memory of 916 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 916 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 916 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 916 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 2976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 2976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 2976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 2976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 3012 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 3012 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 3012 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 3012 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 2656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1920 wrote to memory of 2656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\system32\dllhost.exe

C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\ehome\ehsched.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\eHome\EhTray.exe

"C:\Windows\eHome\EhTray.exe" /nav:-2

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\system32\IEEtwCollector.exe

C:\Windows\system32\IEEtwCollector.exe /V

C:\Windows\ehome\ehRec.exe

C:\Windows\ehome\ehRec.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 250 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1f0 -NGENProcess 25c -Pipe 1d8 -Comment "NGen Worker Process"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 244 -NGENProcess 260 -Pipe 24c -Comment "NGen Worker Process"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

"C:\Program Files\Windows Media Player\wmpnetwk.exe"

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 268 -NGENProcess 258 -Pipe 254 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1f0 -NGENProcess 270 -Pipe 244 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 264 -NGENProcess 258 -Pipe 1d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 278 -NGENProcess 268 -Pipe 274 -Comment "NGen Worker Process"

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-39690363-730359138-1046745555-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-39690363-730359138-1046745555-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1f0 -NGENProcess 27c -Pipe 264 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 260 -NGENProcess 280 -Pipe 240 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 250 -NGENProcess 27c -Pipe 258 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 270 -NGENProcess 288 -Pipe 260 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1f0 -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 26c -NGENProcess 288 -Pipe 278 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 288 -NGENProcess 27c -Pipe 294 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 25c -NGENProcess 298 -Pipe 26c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 290 -NGENProcess 29c -Pipe 280 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 290 -NGENProcess 268 -Pipe 298 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2a0 -NGENProcess 29c -Pipe 2a4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 2a0 -NGENProcess 290 -Pipe 28c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 288 -NGENProcess 29c -Pipe 25c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ncc.avast.com udp
NL 96.16.53.146:80 ncc.avast.com tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 54.157.24.8:80 przvgke.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 analytics.ff.avast.com udp
US 54.157.24.8:80 przvgke.biz tcp
US 34.117.223.223:443 analytics.ff.avast.com tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 44.208.124.139:80 przvgke.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 www.ccleaner.com udp
US 8.8.8.8:53 ipm-provider.ff.avast.com udp
US 8.8.8.8:53 ip-info.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 34.149.149.62:443 ip-info.ff.avast.com tcp
US 34.111.24.1:443 ipm-provider.ff.avast.com tcp
BE 104.90.25.36:443 www.ccleaner.com tcp
BE 104.90.25.36:443 www.ccleaner.com tcp
US 34.160.176.28:443 shepherd.ff.avast.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.169.67:80 c.pki.goog tcp
US 8.8.8.8:53 license-api.ccleaner.com udp
GB 172.217.169.67:80 c.pki.goog tcp
BE 104.90.25.36:443 license-api.ccleaner.com tcp
US 8.8.8.8:53 download.ccleaner.com udp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
NL 104.123.45.5:443 download.ccleaner.com tcp
GB 172.217.169.67:80 o.pki.goog tcp
GB 172.217.169.67:80 o.pki.goog tcp
US 44.208.124.139:80 przvgke.biz tcp
US 8.8.8.8:53 ipmcdn.avast.com udp
US 8.8.8.8:53 ssl.google-analytics.com udp
US 34.117.223.223:443 analytics.ff.avast.com tcp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
NL 23.51.79.68:443 ipmcdn.avast.com tcp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 44.200.43.61:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 44.221.84.105:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 34.193.97.35:80 fwiwk.biz tcp
US 8.8.8.8:53 udp
US 34.193.97.35:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 18.208.156.248:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 udp
SG 18.141.10.107:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 44.200.43.61:80 xlfhhhm.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.13.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 44.221.84.105:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 18.208.156.248:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 44.221.84.105:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 34.193.97.35:80 fwiwk.biz tcp
US 34.193.97.35:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 deoci.biz udp
US 8.8.8.8:53 vyome.biz udp
US 18.208.156.248:80 deoci.biz tcp
US 44.213.104.86:80 vyome.biz tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 gytujflc.biz udp
US 18.208.156.248:80 deoci.biz tcp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 13.251.16.150:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.13.20:80 myups.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.218.204.173:80 ftxlah.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 13.251.16.150:80 typgfhb.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 esuzf.biz udp
US 34.211.97.45:80 esuzf.biz tcp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 44.213.104.86:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
IE 3.254.94.185:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 44.200.43.61:80 oflybfv.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 34.211.97.45:80 yhqqc.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 18.208.156.248:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 44.221.84.105:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 44.200.43.61:80 mnjmhp.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 18.208.156.248:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 44.213.104.86:80 vyome.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 18.208.156.248:80 yauexmxk.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
SG 18.141.10.107:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 18.208.156.248:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 44.213.104.86:80 xccjj.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 13.251.16.150:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 44.221.84.105:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 54.244.188.177:80 rynmcq.biz tcp
US 8.8.8.8:53 uaafd.biz udp
IE 3.254.94.185:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
SG 18.141.10.107:80 eufxebus.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.218.204.173:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
US 8.8.8.8:53 pwlqfu.biz udp
SG 13.251.16.150:80 typgfhb.biz tcp
IE 34.246.200.160:80 pwlqfu.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
US 44.200.43.61:80 rrqafepng.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 3.94.10.34:80 ctdtgwag.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 35.164.78.200:80 tnevuluw.biz tcp
US 8.8.8.8:53 esuzf.biz udp
US 34.211.97.45:80 esuzf.biz tcp
US 8.8.8.8:53 whjovd.biz udp
SG 18.141.10.107:80 whjovd.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 44.213.104.86:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
IE 3.254.94.185:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 oflybfv.biz udp
US 44.200.43.61:80 oflybfv.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 8.8.8.8:53 reczwga.biz udp
US 34.211.97.45:80 yhqqc.biz tcp
US 44.221.84.105:80 reczwga.biz tcp
US 8.8.8.8:53 bghjpy.biz udp
US 34.211.97.45:80 bghjpy.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 44.200.43.61:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 8.8.8.8:53 damcprvgv.biz udp
US 18.208.156.248:80 damcprvgv.biz tcp
US 18.208.156.248:80 damcprvgv.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 ocsvqjg.biz udp
IE 3.254.94.185:80 ocsvqjg.biz tcp
US 8.8.8.8:53 jdhhbs.biz udp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 ywffr.biz udp
US 54.244.188.177:80 ywffr.biz tcp
US 8.8.8.8:53 ecxbwt.biz udp
US 54.244.188.177:80 ecxbwt.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 pectx.biz udp
US 44.213.104.86:80 pectx.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
SG 18.141.10.107:80 warkcdu.biz tcp
US 8.8.8.8:53 zyiexezl.biz udp
US 18.208.156.248:80 zyiexezl.biz tcp
US 8.8.8.8:53 banwyw.biz udp
US 44.221.84.105:80 banwyw.biz tcp
US 8.8.8.8:53 muapr.biz udp
US 8.8.8.8:53 wxgzshna.biz udp
US 8.8.8.8:53 zrlssa.biz udp
US 44.221.84.105:80 zrlssa.biz tcp
US 8.8.8.8:53 jlqltsjvh.biz udp
SG 18.141.10.107:80 jlqltsjvh.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
US 8.8.8.8:53 xyrgy.biz udp
US 18.208.156.248:80 xyrgy.biz tcp
SG 13.251.16.150:80 gcedd.biz tcp
US 8.8.8.8:53 htwqzczce.biz udp
US 54.157.24.8:80 htwqzczce.biz tcp
US 54.157.24.8:80 htwqzczce.biz tcp
US 8.8.8.8:53 kvbjaur.biz udp
US 54.244.188.177:80 kvbjaur.biz tcp
US 8.8.8.8:53 uphca.biz udp
US 44.221.84.105:80 uphca.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 18.208.156.248:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 fjumtfnz.biz udp
US 34.211.97.45:80 fjumtfnz.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 44.213.104.86:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 44.221.84.105:80 hehckyov.biz tcp
US 8.8.8.8:53 hlzfuyy.biz udp
US 34.211.97.45:80 hlzfuyy.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 54.244.188.177:80 rynmcq.biz tcp
US 8.8.8.8:53 rffxu.biz udp
IE 34.246.200.160:80 rffxu.biz tcp
US 8.8.8.8:53 uaafd.biz udp
IE 3.254.94.185:80 uaafd.biz tcp
US 8.8.8.8:53 cikivjto.biz udp
US 44.213.104.86:80 cikivjto.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
SG 18.141.10.107:80 eufxebus.biz tcp
US 8.8.8.8:53 qncdaagct.biz udp
US 34.218.204.173:80 qncdaagct.biz tcp
US 8.8.8.8:53 shpwbsrw.biz udp
SG 13.251.16.150:80 shpwbsrw.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
IE 34.246.200.160:80 pwlqfu.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
US 44.200.43.61:80 rrqafepng.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 3.94.10.34:80 ctdtgwag.biz tcp
US 8.8.8.8:53 cjvgcl.biz udp
US 18.208.156.248:80 cjvgcl.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 35.164.78.200:80 tnevuluw.biz tcp
US 8.8.8.8:53 neazudmrq.biz udp
US 44.221.84.105:80 neazudmrq.biz tcp
US 8.8.8.8:53 pgfsvwx.biz udp
US 18.208.156.248:80 pgfsvwx.biz tcp
US 8.8.8.8:53 whjovd.biz udp
SG 18.141.10.107:80 whjovd.biz tcp
US 8.8.8.8:53 aatcwo.biz udp
US 34.218.204.173:80 aatcwo.biz tcp
US 8.8.8.8:53 kcyvxytog.biz udp
US 18.208.156.248:80 kcyvxytog.biz tcp
US 8.8.8.8:53 nwdnxrd.biz udp
US 54.244.188.177:80 nwdnxrd.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 reczwga.biz udp
US 8.8.8.8:53 ereplfx.biz udp
US 44.213.104.86:80 ereplfx.biz tcp
US 44.221.84.105:80 reczwga.biz tcp
US 8.8.8.8:53 ptrim.biz udp
US 8.8.8.8:53 bghjpy.biz udp
SG 18.141.10.107:80 ptrim.biz tcp
US 34.211.97.45:80 bghjpy.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp
US 18.208.156.248:80 damcprvgv.biz tcp
US 8.8.8.8:53 ocsvqjg.biz udp
IE 3.254.94.185:80 ocsvqjg.biz tcp
US 8.8.8.8:53 znwbniskf.biz udp
US 34.218.204.173:80 znwbniskf.biz tcp
US 8.8.8.8:53 ywffr.biz udp
US 54.244.188.177:80 ywffr.biz tcp
US 8.8.8.8:53 cpclnad.biz udp
US 44.221.84.105:80 cpclnad.biz tcp
US 8.8.8.8:53 ecxbwt.biz udp
US 54.244.188.177:80 ecxbwt.biz tcp
US 8.8.8.8:53 mjheo.biz udp
US 44.221.84.105:80 mjheo.biz tcp
US 8.8.8.8:53 wluwplyh.biz udp
SG 18.141.10.107:80 wluwplyh.biz tcp
US 8.8.8.8:53 pectx.biz udp
US 44.213.104.86:80 pectx.biz tcp
US 8.8.8.8:53 zyiexezl.biz udp
US 18.208.156.248:80 zyiexezl.biz tcp
US 8.8.8.8:53 banwyw.biz udp
US 44.221.84.105:80 banwyw.biz tcp
US 8.8.8.8:53 muapr.biz udp
US 8.8.8.8:53 wxgzshna.biz udp
US 8.8.8.8:53 zrlssa.biz udp
US 44.221.84.105:80 zrlssa.biz tcp
US 8.8.8.8:53 zgapiej.biz udp
US 18.208.156.248:80 zgapiej.biz tcp
US 8.8.8.8:53 jlqltsjvh.biz udp
SG 18.141.10.107:80 jlqltsjvh.biz tcp
US 8.8.8.8:53 jifai.biz udp
US 44.221.84.105:80 jifai.biz tcp
US 8.8.8.8:53 xnxvnn.biz udp
SG 13.251.16.150:80 xnxvnn.biz tcp
US 8.8.8.8:53 xyrgy.biz udp
US 18.208.156.248:80 xyrgy.biz tcp
US 8.8.8.8:53 htwqzczce.biz udp
US 54.157.24.8:80 htwqzczce.biz tcp
US 8.8.8.8:53 ihcnogskt.biz udp
US 35.164.78.200:80 ihcnogskt.biz tcp
US 8.8.8.8:53 kkqypycm.biz udp
SG 18.141.10.107:80 kkqypycm.biz tcp
US 8.8.8.8:53 uevrpr.biz udp
US 44.213.104.86:80 uevrpr.biz tcp
US 8.8.8.8:53 fgajqjyhr.biz udp
US 34.211.97.45:80 fgajqjyhr.biz tcp
US 8.8.8.8:53 hagujcj.biz udp
US 18.208.156.248:80 hagujcj.biz tcp
US 8.8.8.8:53 sctmku.biz udp
US 35.164.78.200:80 sctmku.biz tcp
US 54.157.24.8:80 htwqzczce.biz tcp
US 8.8.8.8:53 kvbjaur.biz udp
US 8.8.8.8:53 cwyfknmwh.biz udp
US 54.244.188.177:80 kvbjaur.biz tcp
US 8.8.8.8:53 qcrsp.biz udp
US 34.211.97.45:80 qcrsp.biz tcp
US 8.8.8.8:53 uphca.biz udp
US 44.221.84.105:80 uphca.biz tcp
US 8.8.8.8:53 sewlqwcd.biz udp
US 44.221.84.105:80 sewlqwcd.biz tcp
US 8.8.8.8:53 fjumtfnz.biz udp
US 34.211.97.45:80 fjumtfnz.biz tcp
US 8.8.8.8:53 dyjdrp.biz udp
US 54.244.188.177:80 dyjdrp.biz tcp
US 8.8.8.8:53 hlzfuyy.biz udp
US 8.8.8.8:53 napws.biz udp
US 35.164.78.200:80 napws.biz tcp
US 34.211.97.45:80 hlzfuyy.biz tcp
US 8.8.8.8:53 rffxu.biz udp
US 8.8.8.8:53 qvuhsaqa.biz udp
IE 34.246.200.160:80 rffxu.biz tcp
US 54.244.188.177:80 qvuhsaqa.biz tcp
US 8.8.8.8:53 cikivjto.biz udp
US 44.213.104.86:80 cikivjto.biz tcp
US 8.8.8.8:53 qncdaagct.biz udp
US 8.8.8.8:53 apzzls.biz udp
US 34.218.204.173:80 qncdaagct.biz tcp
US 34.211.97.45:80 apzzls.biz tcp
US 8.8.8.8:53 krnsmlmvd.biz udp
US 8.8.8.8:53 shpwbsrw.biz udp
SG 13.251.16.150:80 shpwbsrw.biz tcp
US 34.218.204.173:80 krnsmlmvd.biz tcp
US 8.8.8.8:53 nlscndwp.biz udp
US 54.244.188.177:80 nlscndwp.biz tcp
US 8.8.8.8:53 bzkysubds.biz udp
US 8.8.8.8:53 cjvgcl.biz udp
US 18.208.156.248:80 cjvgcl.biz tcp
US 3.94.10.34:80 bzkysubds.biz tcp
US 8.8.8.8:53 neazudmrq.biz udp
US 8.8.8.8:53 ltpqsnu.biz udp
US 44.221.84.105:80 neazudmrq.biz tcp
US 18.208.156.248:80 ltpqsnu.biz tcp
US 8.8.8.8:53 pgfsvwx.biz udp
US 8.8.8.8:53 vnvbt.biz udp
US 44.213.104.86:80 vnvbt.biz tcp
US 18.208.156.248:80 pgfsvwx.biz tcp
US 8.8.8.8:53 ypituyqsq.biz udp
US 8.8.8.8:53 aatcwo.biz udp
US 3.94.10.34:80 ypituyqsq.biz tcp
US 34.218.204.173:80 aatcwo.biz tcp
US 8.8.8.8:53 ijnmvqa.biz udp
US 35.164.78.200:80 ijnmvqa.biz tcp
US 8.8.8.8:53 kcyvxytog.biz udp
US 18.208.156.248:80 kcyvxytog.biz tcp
US 8.8.8.8:53 nwdnxrd.biz udp
US 54.244.188.177:80 nwdnxrd.biz tcp
US 8.8.8.8:53 tltxn.biz udp
US 18.208.156.248:80 tltxn.biz tcp
US 8.8.8.8:53 vgypotwp.biz udp
US 54.244.188.177:80 vgypotwp.biz tcp
US 8.8.8.8:53 ereplfx.biz udp
US 44.213.104.86:80 ereplfx.biz tcp
US 8.8.8.8:53 ptrim.biz udp
SG 18.141.10.107:80 ptrim.biz tcp
US 8.8.8.8:53 giliplg.biz udp
US 44.213.104.86:80 giliplg.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 udp
SG 18.141.10.107:80 tcp

Files

memory/2236-5-0x0000000002750000-0x00000000027B7000-memory.dmp

memory/2236-0-0x0000000002750000-0x00000000027B7000-memory.dmp

memory/2236-9-0x0000000000400000-0x0000000002742000-memory.dmp

memory/2236-10-0x0000000004B40000-0x0000000004B41000-memory.dmp

memory/2236-11-0x0000000005360000-0x0000000005361000-memory.dmp

memory/2236-12-0x0000000005370000-0x0000000005371000-memory.dmp

memory/2236-15-0x0000000005390000-0x0000000005391000-memory.dmp

\Windows\System32\alg.exe

MD5 5f5e55637be2d0589bae1497cb8c3887
SHA1 e5301399ca319b9676e755057877d1a202f21923
SHA256 bfb579d89174e2d3fc9ab986b3b1d24bfb36fb6df40cf43d78b74da5ffa5070f
SHA512 3d8e9555e2d4bf9d2714f9966a486e17b1283557ffb0a0aff2cfcefa51e56a990db845fea1e715483224d5d0d1fce9dcf9117e6a0ad38458fc4eb22920b5516f

memory/2236-14-0x0000000005380000-0x0000000005381000-memory.dmp

memory/2236-20-0x00000000053C0000-0x00000000053C1000-memory.dmp

memory/1148-19-0x0000000000430000-0x0000000000490000-memory.dmp

memory/2236-18-0x00000000053B0000-0x00000000053B1000-memory.dmp

memory/2236-17-0x00000000053A0000-0x00000000053A1000-memory.dmp

memory/1148-29-0x0000000000430000-0x0000000000490000-memory.dmp

memory/2236-28-0x0000000000400000-0x0000000002742000-memory.dmp

memory/1148-31-0x0000000100000000-0x00000001001E3000-memory.dmp

\Users\Admin\AppData\Local\Temp\gcapi_17182060182236.dll

MD5 f637d5d3c3a60fddb5dd397556fe9b1d
SHA1 66f0c4f137870a9927400ea00facc00193ef21e3
SHA256 641b843cb6ee7538ec267212694c9ef0616b9ac9ab14a0abd7cf020678d50b02
SHA512 e96984f2f9c6858e989f10fd8e71b09a8a640c9be2fb87ac1692d9bca7107d7a837f8fbdcc46c01a6107dd9020994c5a6f975b7e16434e9b2bf1c43b1f0d8b31

\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 044091ace917c13227f576e56e323aa4
SHA1 61a35ebf5f3abe2c05e4c3eb64e2461b2ddc8e7b
SHA256 c41d9134a6cc8d779efd21c9cc819d4984f50897f837bf98313b1f5919677dc7
SHA512 4eb6fcb69637fae3fd9e744144e93c2e1e05036be5ebf1f6999b42c9cb02f3d14e66c488a209951e744202a9ad4ad9377d398b243d33cc970d9450e02a274bf1

memory/2236-41-0x0000000000400000-0x0000000002742000-memory.dmp

memory/2836-42-0x0000000140000000-0x00000001401DC000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 efccc599b54336bdae917a05676cee1a
SHA1 4172e14dcd99ac21b00812a2e48ff6547d142033
SHA256 11beef756b00ffef88d06781ad4f95b8d3ec5ab81f5fc95c426996183d3d215a
SHA512 4f0e571256e32490e939ed131f3edf5d2dea02c9835551c0cae7ceb88cf20ea7137f3c46d72dc5fa1ea58b95dbba846c08c8150ecac0d56128e1c909d5bb7c9a

memory/2548-50-0x0000000000340000-0x00000000003A7000-memory.dmp

memory/2548-45-0x0000000000340000-0x00000000003A7000-memory.dmp

memory/2548-52-0x0000000010000000-0x00000000101DE000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

MD5 7645ea1a7317fc603571acdbc6e76b72
SHA1 31a5723b7d755e887a10c3d30cb9918fe224c410
SHA256 4795853c6ce0549a13a8a0b903595da52edf30ab44456f41ce87d394355e9049
SHA512 63654e4efade6105839f80d4f86ae1bb048d7b8e3aa48cd5a2728b6be7e64b29fd43ea271e69aa6ce4a572b8c85e3b82452bdda9b83ce22cf9e1cfbf0b7e461f

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 dbfb16f993914c00ce74e7c7636efed2
SHA1 e528cdedfb5d097ccbee568492389fdc11020b76
SHA256 e6157218415284c36fb30c8f7b12a046216512d27567a831141a6255fc3d025f
SHA512 ac31f0c432ec8c842798a94e7e2c6ec82d25c620e0e00ade844c0b3d9194c68db772c51011a025051e2f92a5a001765bea252994e22de4c79bbd07f257521d4d

memory/752-65-0x0000000010000000-0x00000000101E6000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

MD5 2baeb0eb5188c81e3cb0420fd98dccb5
SHA1 6211252502871796d38dd95e5a037d82e02a40c0
SHA256 826c515bb0e02182e3127f26232e71349f03cd1a4d47796a5824b5fc63111826
SHA512 14f6591711f66a97a8c521c3fd89516a9226ed1643cd71a111a90429995ad2d8b9b537265e47187eba20ad14e6f8b7f253a4704306ebacd30d8f79a246713286

memory/2548-66-0x0000000010000000-0x00000000101DE000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 a0b671bdefee3dc6560248283a8c9524
SHA1 6ef3e86fa70ca456290cc378d9589bc07fba2623
SHA256 a982be00ad4d431999787b2858001767a9a1777cb6d8e5a5906154865909b96e
SHA512 ea356db7309a946067391f4e34360e78e147e318298567fd8692f76b39dc8c332b6d0d62c94a3a5bb4d7f7f6224b2860563f0ecb9f42a6c8dd3ee1b86bb7f93f

memory/1920-74-0x0000000000380000-0x00000000003E7000-memory.dmp

memory/1920-79-0x0000000000380000-0x00000000003E7000-memory.dmp

memory/1920-81-0x0000000000400000-0x00000000005E7000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 40743e80c92e96f5aada5103f9cd2ac3
SHA1 7cd20c9ed15e8d76efd736ae7b5ee34c74e8ff6c
SHA256 dcd0c6f39447a33f4c6b7600acc6b127addf239264344fa8d9af31a5e2a4422b
SHA512 e0c9e6195f3bd77635e9ce21579d4c908c3da9c6a44af5b18f87cc1ce3275af741d636b502493b738d2ad0003cd0e46dcabaea9bdfb4fdcc5711b19ced479bba

memory/1824-94-0x00000000001E0000-0x0000000000240000-memory.dmp

memory/1824-88-0x00000000001E0000-0x0000000000240000-memory.dmp

memory/2236-106-0x0000000009640000-0x0000000009650000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

MD5 cc1175dd86d7a970b7042009e79f5255
SHA1 104c164cb0d20e79235b2e6acbf38a00148bfb77
SHA256 ea86999cd13f05d87bf60ed22da787eb86df52d73819fade67f626f74d75c137
SHA512 e72b448e14ff8cc9b62d8dcc590c44cc314079f6d17e4d59a5adca6e6f6e8b895b5897bee00123968cc04495321b416c4fd884bba3fdff7e9d936c53b10517da

memory/2236-100-0x00000000094A0000-0x00000000094B0000-memory.dmp

C:\Windows\System32\dllhost.exe

MD5 872f2a03d5c3f692d1542dbb4c623768
SHA1 fb5096795215d9b2e9712eee8d907f1dd193b0bf
SHA256 e920c32fab76a68e647885b848d68e3a6ac56478f5520c97085f1fc360b14fa7
SHA512 6ae9c74744906c93a843425c71d1e220c8533a744e0288134984154d9b334a25d5b80399a9bc79d1e3b757f5c87aae78b3e2c982d8a9bf76aad08056e288abc9

memory/2236-153-0x0000000000400000-0x0000000002742000-memory.dmp

memory/1824-155-0x0000000140000000-0x00000001401ED000-memory.dmp

C:\Windows\ehome\ehrecvr.exe

MD5 85da776047e0416ac34b3fe84c7b2a80
SHA1 c1797d9e7553ff02c6c437a7bb2ea77f76586a4c
SHA256 21685e10dad9dd15e800487dd91dc26449a66ced0fae5a64e5b86a3a9b94c692
SHA512 11f2b1fa5db65a978c39f790d838f76e6f399190db1ac24147afd7da6158bbd019e4f4e89a24fbe634ca41c846307c4cf0b1832563afe779fbbd709f84a6d1ce

memory/2168-176-0x0000000100000000-0x00000001001D4000-memory.dmp

C:\Windows\ehome\ehsched.exe

MD5 972d6b175bf7af53303549c1d9068b59
SHA1 d178f24709ad5239a4160b74d8ac82801cabdbaf
SHA256 f3de870b9d37e3a6bb155a5de7c073a158cc0baef14e0134a2274e77e345051b
SHA512 dc8b812d8c3576ba6e89840af48672dcd889ac03074655556c53ea92ff1e152303e0d8ef664059766eef9bf438c3a46df8360f8f5de29fbc4798e3d47c160a87

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

MD5 26090c4d1a18e5e72b0639ff690d304e
SHA1 eea9be22a5dec4b6c8cbd5de66b996041263e686
SHA256 e026649e8c0b399394b184f3a7382c1fac2cfa65c27841e91690ebc17b74c098
SHA512 e9619dc6bf2eff2bd5aa5bbc717f9df7b4e3a66993cd7d9fce8c0809f12d65fc621ea17284081548304821e3bc2d3e584b892b830557f3825b14039027eb0fd6

memory/2236-227-0x0000000000400000-0x0000000002742000-memory.dmp

memory/1336-231-0x0000000100000000-0x00000001001D4000-memory.dmp

memory/2428-229-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/2360-228-0x0000000140000000-0x000000014013C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

MD5 6c16d581164088624820017cb08be8d5
SHA1 17f5ad39b0d890e1adff995da60ffafda5c86eed
SHA256 ac353f5fbdc6a89bbc95bff4e346b4fc751d3155432fccf3793ea00b87136944
SHA512 60e1ced0361ad648108a19fe218c1aa27e852d5349e9b98d11e93b906f5fd70a7be31c318a818246c2004ae067669652e69b14c77c7e96d864048e35c9090244

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

MD5 374012fe6f381c1f9edd1893db20f666
SHA1 00a01c49398d1c599ea114ff5125b73c491e8223
SHA256 8002ce98aba28a2ba7ada11383b46a408c2499e9dbaae16272c19eb8def187d7
SHA512 2999a8210e4a0215139033a08bb96b93d316763edcce366ee295f14fe420e416544e94f57d99eaad9e6be1f5844f3e8842f8b0cd3ce935189afd15c51d64713b

memory/1148-241-0x0000000100000000-0x00000001001E3000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 515ce172df002da7bcb59cfe437979c7
SHA1 94ebc29af01922df1cf1df581bf6b62f0b0a8536
SHA256 71b9565d376daa4983573a0d85e750e70d91a7057cac228eaf21c722d4eee682
SHA512 717b0080ce1490439832baf20d13920456f04134728fc56458c78a5634c1206e66fd3937c7195fe3d847547ad517f17f4522c2ba4745bb34b29f823b7af671c1

memory/2576-259-0x0000000140000000-0x0000000140237000-memory.dmp

\Windows\System32\ieetwcollector.exe

MD5 69086cd0026fc0e484edbfeacdcf3523
SHA1 164064301a59e18db5db51e26bd8ad7a73b5a853
SHA256 a3ec9335f2facefcd80fb6e265343982baf063949f577822b5975f4a018f415b
SHA512 0b65800be9cc3b60729d4d4721171ff8ff582b35b97a6c44bc26f58877f5873c46d40110e42e8049ee9edd3a2eae9e4565cf6195d740e4be41e32802ee1224b3

memory/2800-277-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/2236-258-0x0000000000400000-0x0000000002742000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YIJSEOI3.txt

MD5 ff52259b5088351501f6fd97da0f3888
SHA1 91e6cddc4203e272ac8987bf2d11fb9ddb7c9d74
SHA256 4aead69e8be4f7afe63f5514d8471bca46fbd2bf15d55cf66b7ed65a7e5ee865
SHA512 6c52e57cfc5b350bc44e00105a960ca8d569e7ad1a1ce8f64dfa379efc297585b2802c9df628d8cddacb97b4a1b5f9f9965bcceb6b1ddeddd7cfd73293639220

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ZVF3Y91C.txt

MD5 74055ee58998759207d8bdccf3554117
SHA1 b6feb6511a524a1b6fb206df6d7c5f2c64446f48
SHA256 5dbf06e2fa12abb829c5a24aee459fb460d3d63b4f4ba05d649dd9cf9c60cbb9
SHA512 2804b667d282765439704b95ffd5d010eb5e9eecf6dd75becd59bdfe7d5b35dffa913ce3155b548e8b4ac2d095cc2c9dce8ce617376ef58f4723af536e8b1047

memory/916-318-0x0000000100000000-0x00000001001D4000-memory.dmp

memory/2836-317-0x0000000140000000-0x00000001401DC000-memory.dmp

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

MD5 07665713f1f63aeb76512b40c1fecc1d
SHA1 046c6ae2c0e8663c0faee4b4d56e1fcc837851e4
SHA256 07360af897485421770cdd6c19aad04741aebbdd1f57f623d8e938003535249e
SHA512 a77d871dba42cfcfe39d3c39d7dfcd0d4d66532e24320e0d4a6cb505823c6b5ed86127fcbd726d36ab330c5d3f23d5ecdff2333e88446954b27cdaa178da1db8

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 fad7c4bf74a7bfb45ec4e4d3a8ecfdd6
SHA1 f21e91d068d1fd99bf459610bb865a8230754e52
SHA256 e27c9f422da99d231b4007bb796d31fbdc7d9d5ab8ba20818cb18d84fc181451
SHA512 9bfe5f299b829d1e413910552e756c071a25b89ceaaee06b15bcbf0a02d3cdeac9635e0dd9f2425b5627a5c50f590e1c36d161632995acaffb508f7e3f595a0b

memory/1344-345-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1344-341-0x0000000140000000-0x0000000140209000-memory.dmp

memory/2568-329-0x000000002E000000-0x000000002FE1E000-memory.dmp

memory/2348-374-0x0000000000400000-0x00000000005E7000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 c2d2c825f1e3d0b1e177392009870256
SHA1 c31b64c5758170fbd56da692f2f410937a2fb32f
SHA256 a28f704f1f614af2b25bdf73b4c66723bc262db529cfa0250c05b29d6f7d66dd
SHA512 b3f6fef46bab97cf78f70a5812fe8efd437add2446ce52116b92f4da0cbaf16eab2064e43f3e0f5f87c2fbc96dcdef9e83d625753fb6aeb7e2f9c4d7db467f18

memory/2452-380-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/264-399-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2348-402-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2428-398-0x0000000140000000-0x00000001401F1000-memory.dmp

C:\Windows\system32\msiexec.exe

MD5 34d50de7f7a0624920acbf6b4b1c2e83
SHA1 5a1e11d63a833fb4f2a1f25cb4be6b6753564462
SHA256 ddcc9c7b9c046da6a263d618c6984acfe96429bc98a95eff3f69a40ccfd4a5ca
SHA512 8c088ba2ef62d1564bf94d322df3df4aabbb0428eb0139fdcb8ec96269a43302b50d635ca01859081dda5d956a154dde82a318e414bc351e721b63566b4812cb

memory/264-415-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/1232-414-0x0000000000400000-0x00000000005E7000-memory.dmp

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 e0b0155b401bdc928df6840c9081d9e3
SHA1 dc644b646affbaaa5ec7256e2c09490c4ac23c3a
SHA256 e21f5c327aa184bf9dc8b95a335e67470428d5aab9604c80f72b2611d535720a
SHA512 22f7c24e2323e88bd1d22e50d6219831748b10dcd8bfb66be7b17bc7c126a3e5f6f370417b35e70f915c58b38c3541ac7a7ca936d534684795baf9c05ab3e124

memory/2360-397-0x0000000140000000-0x000000014013C000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

MD5 80593d3e37e371da09b2767cff24257f
SHA1 a3af6d17b8ac4f13af8b9790897eefa523fba3ea
SHA256 fa673652a47c21b579aefd68208b4ae3338b5672b891c7823472ac0e908d7071
SHA512 853d1d3488575fa940c08a038e9c0014a7f40b68d4acf0d790db6547e294b5a4931953e722bc8c85265fd35099371800dfe28978aa28a65c32272a3f74fc3ff7

C:\Windows\SysWOW64\perfhost.exe

MD5 108f6958c028efc7935a95c0ebae6121
SHA1 1cd05e74847ac90fa9696fd736c939dede6e7dd6
SHA256 3bb2e484e52f0a28aecced77dfa0680cb87205a0c9c850711c8b00ca08c87d9e
SHA512 f1fe10dcb64181cca3bcd5bb3bfecc08b8d588890c6f0a7109fc69182e2ae72d569ea9f9e263fa67f46745bf40ff65069046d7a06aa1ce868e664888e5f07162

memory/2576-468-0x0000000140000000-0x0000000140237000-memory.dmp

\Windows\System32\Locator.exe

MD5 b639e23592549a243c449f1e7ba7a321
SHA1 89cc5286b35d6f76f883b7c3c0eeb241d4e5051a
SHA256 3b91c95ad221cbf9c9119968c69c1406b0eece5cb347f00f7a00d163c3217816
SHA512 c7d5c6a6fdd6326bd014fb7d017370f61ebf00620a96970becf3647dc43c05e1bffea5b7b7eb91fa9fe6f881b3ce491d4cfc031ba0c9c9e042f0f1e8e1ede5fb

C:\Windows\System32\snmptrap.exe

MD5 bee382fc8f3fee7a7542a014a6054090
SHA1 6babb53f2b8b6117677a563f116d8f0ecf7acc68
SHA256 6a58b4ae16154ef48aa1a175dc81208c9299f71cd42875c62886bb6117477984
SHA512 1ecc8f534148cb44e9f20db31176fc19d4372419a06950b4cc51736693e3aa85cc3ec19eff5a02b33b6ec3c445329522efe971e227d8d73db1709485ac56d35c

memory/1232-500-0x0000000000400000-0x00000000005E7000-memory.dmp

C:\Windows\System32\vds.exe

MD5 e8be96c589fece0c13e1f314ee0cbde2
SHA1 72099368f8df6cc207488d6e4c63e8fdcb51601f
SHA256 164ee10c6d82ac205dc628a6730f0b9937c3b45b9f4dfa283ea8d8ecb30c1671
SHA512 8eda374bf8d418239aef6e4430c74516211763d2bfdf31048302f26bc56adfca8e01c2a03212c391cd842e4ef346525c38aabe889687143055e64ab4ce845584

C:\Windows\System32\VSSVC.exe

MD5 c97d9910063fdfeb44c88b1874a93eb7
SHA1 f2c4da650b6ac4dba3d3efdc8314fc4578dd762d
SHA256 cb13c178269696457826154b3ff39ec899b20184e0b7b9749d11633568a40c3e
SHA512 9df82dbe35c96ca0ee7e6c43d63fb8278e5441e6ab88de0f4b6efa44207327e63e5519f598df8ecb0872f9ee0c05f6e32e5750a948f6e4168de543b6fb547ad4

\Windows\System32\wbengine.exe

MD5 871034efb8fb6ee792d3067b345e16ea
SHA1 d2fc4ab9970428f89ad2ff75415fac44e9637ba8
SHA256 e72be92269785ff753d7fd7a1f0fa9b35586f48a93b34080aed3f336c97c854f
SHA512 aa222c630e5494616b3d22f7d48a954448271a6e0a2e20501bee57ac2b10f6aad38bff07a47c7fa53c783300d5b178ebe49115c41c0b35dd6e70e075a52442d4

memory/2800-542-0x0000000140000000-0x00000001401ED000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 0f3da5340b13ca6f401b3a4f1686855d
SHA1 62637e99292aa1ef4ce9bb37c067d970cca28c21
SHA256 17c5e91de0195bcbf44cc051bfa54dfd1be3d0a0429bb6eebd4c3f1445da0eab
SHA512 979f1192ead603b8f8396916e2f72f545b4d69fe8a987f1685064d6284392e08e13f5dc271e3d607b0347871acddadc1fff77645ccb632ecca659e2860b2320f

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 b26628eea1907b17c35750532ce4d849
SHA1 f6c8adfab00e3cf0503af297889744ee272154a9
SHA256 9d0baf9331fe4f7ca9b262f0e46f2afcabc5f58282be7d23c6f1c19dbcf7376c
SHA512 95216a86e696977ff6cb5f6782ececbf642c817c4cbffae0d7b1143fb04823b9bfcf2afff9862fe57aed8f3d659e12d1915711d398c89664be989543b1e28990

C:\Windows\System32\SearchIndexer.exe

MD5 dd65054ad8993a0f94adfc5ad4e97296
SHA1 6ab2d307443a9b87dd60413d55c1bcd3b6e25a42
SHA256 5b833e68d964f0ea5e3545ec0c2ddc66b3785c83b898d90d1c89af2d55f7bb8e
SHA512 bd9a70dda8c87970cab8969311096080ce3d71019d2d9df97045c1bb4bebc7bf1b77e5aa0b9e9f3ce491da87dd7c5a230e1d1f872366eb1c3d88a4a0951abe44

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

MD5 178a003832b7c460b174e899f6f9caf5
SHA1 34b68ede2369f3fa855274f5f9363b7db7274fcf
SHA256 eda0aeb4444694d9bde14638e91999bc018eba1a94fba57987c13de666ab4e2c
SHA512 7aed908d2bf2c9444e3fce66662832c3c22c6f10019c580dd36ec71c39179626761612fada37e5700f75facf5cae2c1d0cc05fc106653dc04c082c2b773e1e9c

memory/2568-780-0x000000002E000000-0x000000002FE1E000-memory.dmp

memory/2656-784-0x0000000003D30000-0x0000000003DEA000-memory.dmp

memory/2428-900-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/2800-991-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/2452-997-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/2360-1010-0x0000000140000000-0x000000014013C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 15:26

Reported

2024-06-12 15:29

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe"

Signatures

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Key opened \REGISTRY\MACHINE\Software\WOW6432Node\Avira\Antivirus C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4812 -ip 4812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 4412

Network

Country Destination Domain Proto
US 8.8.8.8:53 ncc.avast.com udp
NL 96.16.53.161:80 ncc.avast.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 161.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.192:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 192.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 analytics.ff.avast.com udp
US 34.117.223.223:443 analytics.ff.avast.com tcp
US 8.8.8.8:53 223.223.117.34.in-addr.arpa udp
US 8.8.8.8:53 www.ccleaner.com udp
US 8.8.8.8:53 ip-info.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 ipm-provider.ff.avast.com udp
BE 104.90.25.36:443 www.ccleaner.com tcp
BE 104.90.25.36:443 www.ccleaner.com tcp
US 34.160.176.28:443 shepherd.ff.avast.com tcp
US 34.149.149.62:443 ip-info.ff.avast.com tcp
US 34.111.24.1:443 ipm-provider.ff.avast.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.169.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 172.217.169.67:80 o.pki.goog tcp
GB 172.217.169.67:80 o.pki.goog tcp
US 8.8.8.8:53 download.ccleaner.com udp
US 8.8.8.8:53 28.176.160.34.in-addr.arpa udp
US 8.8.8.8:53 62.149.149.34.in-addr.arpa udp
US 8.8.8.8:53 36.25.90.104.in-addr.arpa udp
US 8.8.8.8:53 1.24.111.34.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
NL 104.80.229.38:443 download.ccleaner.com tcp
US 8.8.8.8:53 license-api.ccleaner.com udp
BE 104.90.25.36:443 license-api.ccleaner.com tcp
US 8.8.8.8:53 38.229.80.104.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 233.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 160.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp

Files

memory/4812-0-0x0000000002E60000-0x0000000002E61000-memory.dmp

memory/4812-1-0x0000000005290000-0x0000000005291000-memory.dmp

memory/4812-2-0x00000000052A0000-0x00000000052A1000-memory.dmp

memory/4812-3-0x00000000052B0000-0x00000000052B1000-memory.dmp

memory/4812-4-0x00000000052C0000-0x00000000052C1000-memory.dmp

memory/4812-5-0x00000000052D0000-0x00000000052D1000-memory.dmp

memory/4812-6-0x00000000052E0000-0x00000000052E1000-memory.dmp

memory/4812-7-0x00000000052F0000-0x00000000052F1000-memory.dmp

memory/4812-8-0x0000000000400000-0x0000000002742000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gcapi_17182060074812.dll

MD5 f637d5d3c3a60fddb5dd397556fe9b1d
SHA1 66f0c4f137870a9927400ea00facc00193ef21e3
SHA256 641b843cb6ee7538ec267212694c9ef0616b9ac9ab14a0abd7cf020678d50b02
SHA512 e96984f2f9c6858e989f10fd8e71b09a8a640c9be2fb87ac1692d9bca7107d7a837f8fbdcc46c01a6107dd9020994c5a6f975b7e16434e9b2bf1c43b1f0d8b31

memory/4812-17-0x000000000C780000-0x000000000C790000-memory.dmp

memory/4812-23-0x000000000C8E0000-0x000000000C8F0000-memory.dmp

memory/4812-41-0x000000000D450000-0x000000000D458000-memory.dmp

memory/4812-43-0x000000000D2F0000-0x000000000D2F8000-memory.dmp

memory/4812-44-0x000000000D2E0000-0x000000000D2E1000-memory.dmp

memory/4812-46-0x000000000D2F0000-0x000000000D2F8000-memory.dmp

memory/4812-49-0x000000000D2E0000-0x000000000D2E8000-memory.dmp

memory/4812-52-0x000000000D2A0000-0x000000000D2A1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

MD5 9535bbfcfd2a6eaf1c9523cb3eb3d9ac
SHA1 e81080957ca709b3a2b000d86c908861d75c00a9
SHA256 bb964f2530acab357dc47d3fadfa93e6f29a1a3779cae4d961c1adc3da17f3e2
SHA512 03aae1900e83d7c7db30a6c152c21a9664d7142d8c9a2cef0124f68a59ca2777390535813710971ec50b2b0f06f76a961fc1a73c0a68338fef94dff6e7efa37b

memory/4812-64-0x000000000D390000-0x000000000D398000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

MD5 23defed2ca8e26a7c52dcb769f3f4094
SHA1 afe1a902befbd3f37e91962cf8e30a74df6531c8
SHA256 49adce17ef4ba9c6fc2f8b5c1d86d7a159652005c49bc514836a15c7e4bae5fa
SHA512 93543fd5be33b3b08fb3fcf61f69c55ce51fac5f688850c653c9d669e6ab4bcdc7b18b04a11689d272c8c472200bb5f5c05a7eadaed13b116c24fce2478e47c0

memory/4812-73-0x000000000D2A0000-0x000000000D2A1000-memory.dmp

memory/4812-69-0x000000000D2E0000-0x000000000D2E1000-memory.dmp

memory/4812-66-0x000000000D3D0000-0x000000000D3D8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

MD5 4d3b06c8e4d8c2f7cec3f7a1921a903e
SHA1 7e9d60ff8e05e00929426aab28f4c7e7145dcd8b
SHA256 94ef4c61c9fd68fdacc5c5b1c24fa476a9c400cc4343cb8fa5b5d15d4e1b6cf6
SHA512 74ccd64cda9a3cf9a4ae3851fbfb9440d22698f09c03077f65073f55f56f5220b939cf6b52dc4a9bed9c58d7d18facd9409017d98c05f5fa59894f222305c660

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-us\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/4812-177-0x0000000000400000-0x0000000002742000-memory.dmp