Analysis Overview
SHA256
a8e4d28bdc0eb1f642059ada096afc4d63c874f949f63d0386e92acae798d43b
Threat Level: Known bad
The file 2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil was found to be: Known bad.
Malicious Activity Summary
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Downloads MZ/PE file
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Checks for any installed AV software in registry
Writes to the Master Boot Record (MBR)
Checks installed software on the system
Checks system information in the registry
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Program crash
Unsigned PE
Enumerates physical storage devices
Modifies data under HKEY_USERS
Uses Volume Shadow Copy WMI provider
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Uses Volume Shadow Copy service COM API
Modifies system certificate store
Checks processor information in registry
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-12 15:26
Signatures
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables containing SQL queries to confidential data stores. Observed in infostealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 15:26
Reported
2024-06-12 15:29
Platform
win7-20240611-en
Max time kernel
151s
Max time network
157s
Command Line
Signatures
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing SQL queries to confidential data stores. Observed in infostealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Software\Wow6432Node\AVAST Software\Avast | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\Wow6432Node\Avira\Antivirus | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
Checks installed software on the system
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
Checks system information in the registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\msiexec.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Windows\system32\locator.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Windows\System32\snmptrap.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Windows\system32\vssvc.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\WmiApSrv.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| File opened for modification | C:\Windows\System32\alg.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Windows\system32\dllhost.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Windows\System32\msdtc.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Windows\system32\MSDtc\MSDTC.LOG | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\perfhost.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE | N/A |
| File opened for modification | C:\Windows\system32\SearchIndexer.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Windows\system32\IEEtwCollector.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\system32\fxssvc.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\60a03b688ab55808.bin | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\system32\fxssvc.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Windows\system32\IEEtwCollector.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Windows\System32\vds.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Windows\system32\wbengine.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\7-Zip\Uninstall.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ielowutil.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\kinit.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\ssvagent.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\tnameserv.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\uninstall\helper.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\pack200.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\jabswitch.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome_proxy.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\klist.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\javaws.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\pingsender.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\updater.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\javacpl.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\iediagcmd.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\ssvagent.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\firefox.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ielowutil.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\keytool.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\javaws.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ieinstal.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\plugin-container.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\private_browsing.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome_proxy.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngennicupdatelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\ehome\ehsched.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{959BB25A-F142-4186-9E76-840953322F6E}.crmlog | C:\Windows\system32\dllhost.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | C:\Windows\System32\alg.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\ehome\ehRecvr.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngennicupdatelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\ehome\ehRecvr.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\DtcInstall.log | C:\Windows\System32\msdtc.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{959BB25A-F142-4186-9E76-840953322F6E}.crmlog | C:\Windows\system32\dllhost.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\ehome\ehsched.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-102 = "Desert" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SNTSearch.dll,-505 = "Sticky Notes" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204 = "Services" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\FXSRESM.dll,-115 = "Send and receive faxes or scan pictures and documents." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\DVD Maker\DVDMaker.exe,-61403 = "Windows DVD Maker" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\ehome\ehres.dll,-116 = "Opens your home entertainment option for digital and on-demand media, including TV, movies, music and pictures." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-117 = "Maid with the Flaxen Hair" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Filemgmt.dll,-602 = "Starts, stops, and configures Windows services." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10021 = "Performance Monitor" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10061 = "Spider Solitaire" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place is an educational and entertaining game that comprises three distinct games that help teach colors, shapes and pattern recognition." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10054 = "Chess Titans" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10058 = "Purble Place" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10209 = "More Games from Microsoft" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\Explorer.exe,-312 = "Play and manage games on your computer." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10030 = "Resource Monitor" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\syncCenter.dll,-3001 = "Sync files between your computer and network folders" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SoundRecorder.exe,-100 = "Sound Recorder" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-101 = "Event Viewer" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555 = "Windows Speech Recognition" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\rstrui.exe,-100 = "System Restore" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20 = "Windows Firewall with Advanced Security" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\iscsicpl.dll,-5001 = "iSCSI Initiator" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\ehome\ehRecvr.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wucltux.dll,-1 = "Windows Update" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10060 = "Solitaire" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10305 = "Hearts is a trick-based card game in which the goal is to get rid of cards while avoiding points. The player with the lowest number of points wins." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\MdSched.exe,-4002 = "Check your computer for memory problems." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000800a4a19ddbcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291 = "Math Input Panel" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10309 = "Solitaire is the classic, single-player card game. The aim is to collect all the cards in runs of alternating red and black suit colors, from ace through king." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591 = "Windows Easy Transfer Reports" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10103 = "Internet Spades" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msra.exe,-100 = "Windows Remote Assistance" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020de7c27ddbcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\System\wab32res.dll,-4602 = "Contact file" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10301 = "Enjoy the classic strategy game of Backgammon. Compete against players online and race to be the first to remove all your playing pieces from the board." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\recdisc.exe,-2001 = "Creates a disc you can use to access system recovery options." | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\ehome\ehres.dll,-100 = "Windows Media Center" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe"
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 250 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1f0 -NGENProcess 25c -Pipe 1d8 -Comment "NGen Worker Process"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 244 -NGENProcess 260 -Pipe 24c -Comment "NGen Worker Process"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 268 -NGENProcess 258 -Pipe 254 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1f0 -NGENProcess 270 -Pipe 244 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 264 -NGENProcess 258 -Pipe 1d4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 278 -NGENProcess 268 -Pipe 274 -Comment "NGen Worker Process"
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-39690363-730359138-1046745555-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-39690363-730359138-1046745555-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1f0 -NGENProcess 27c -Pipe 264 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 260 -NGENProcess 280 -Pipe 240 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 250 -NGENProcess 27c -Pipe 258 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 270 -NGENProcess 288 -Pipe 260 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1f0 -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 26c -NGENProcess 288 -Pipe 278 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 288 -NGENProcess 27c -Pipe 294 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 25c -NGENProcess 298 -Pipe 26c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 290 -NGENProcess 29c -Pipe 280 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 290 -NGENProcess 268 -Pipe 298 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2a0 -NGENProcess 29c -Pipe 2a4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 2a0 -NGENProcess 290 -Pipe 28c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 288 -NGENProcess 29c -Pipe 25c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1bc -NGENProcess 1c0 -Pipe 1d0 -Comment "NGen Worker Process"
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 54.244.188.177:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | ncc.avast.com | udp |
| NL | 96.16.53.146:80 | ncc.avast.com | tcp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| SG | 18.141.10.107:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 54.244.188.177:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| SG | 18.141.10.107:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 54.244.188.177:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 44.221.84.105:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 54.157.24.8:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 54.244.188.177:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | analytics.ff.avast.com | udp |
| US | 54.157.24.8:80 | przvgke.biz | tcp |
| US | 34.117.223.223:443 | analytics.ff.avast.com | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 44.221.84.105:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 44.208.124.139:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | www.ccleaner.com | udp |
| US | 8.8.8.8:53 | ipm-provider.ff.avast.com | udp |
| US | 8.8.8.8:53 | ip-info.ff.avast.com | udp |
| US | 8.8.8.8:53 | shepherd.ff.avast.com | udp |
| US | 34.149.149.62:443 | ip-info.ff.avast.com | tcp |
| US | 34.111.24.1:443 | ipm-provider.ff.avast.com | tcp |
| BE | 104.90.25.36:443 | www.ccleaner.com | tcp |
| BE | 104.90.25.36:443 | www.ccleaner.com | tcp |
| US | 34.160.176.28:443 | shepherd.ff.avast.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 172.217.169.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | license-api.ccleaner.com | udp |
| GB | 172.217.169.67:80 | c.pki.goog | tcp |
| BE | 104.90.25.36:443 | license-api.ccleaner.com | tcp |
| US | 8.8.8.8:53 | download.ccleaner.com | udp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| NL | 104.123.45.5:443 | download.ccleaner.com | tcp |
| GB | 172.217.169.67:80 | o.pki.goog | tcp |
| GB | 172.217.169.67:80 | o.pki.goog | tcp |
| US | 44.208.124.139:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | ipmcdn.avast.com | udp |
| US | 8.8.8.8:53 | ssl.google-analytics.com | udp |
| US | 34.117.223.223:443 | analytics.ff.avast.com | tcp |
| GB | 216.58.212.232:443 | ssl.google-analytics.com | tcp |
| NL | 23.51.79.68:443 | ipmcdn.avast.com | tcp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| US | 44.200.43.61:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 13.251.16.150:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 44.221.84.105:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| SG | 18.141.10.107:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 34.193.97.35:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 34.193.97.35:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| IE | 34.246.200.160:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 18.208.156.248:80 | deoci.biz | tcp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| SG | 13.251.16.150:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | udp | |
| SG | 18.141.10.107:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| US | 44.200.43.61:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 44.221.84.105:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 54.244.188.177:80 | dwrqljrr.biz | tcp |
| US | 8.8.8.8:53 | nqwjmb.biz | udp |
| US | 35.164.78.200:80 | nqwjmb.biz | tcp |
| US | 8.8.8.8:53 | ytctnunms.biz | udp |
| US | 3.94.10.34:80 | ytctnunms.biz | tcp |
| US | 8.8.8.8:53 | myups.biz | udp |
| US | 165.160.13.20:80 | myups.biz | tcp |
| US | 8.8.8.8:53 | oshhkdluh.biz | udp |
| US | 54.244.188.177:80 | oshhkdluh.biz | tcp |
| US | 8.8.8.8:53 | yunalwv.biz | udp |
| US | 8.8.8.8:53 | jpskm.biz | udp |
| US | 34.211.97.45:80 | jpskm.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 13.251.16.150:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | lrxdmhrr.biz | udp |
| US | 54.244.188.177:80 | lrxdmhrr.biz | tcp |
| US | 8.8.8.8:53 | wllvnzb.biz | udp |
| SG | 18.141.10.107:80 | wllvnzb.biz | tcp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 44.221.84.105:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| SG | 18.141.10.107:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | gnqgo.biz | udp |
| US | 18.208.156.248:80 | gnqgo.biz | tcp |
| US | 8.8.8.8:53 | jhvzpcfg.biz | udp |
| US | 44.221.84.105:80 | jhvzpcfg.biz | tcp |
| US | 8.8.8.8:53 | acwjcqqv.biz | udp |
| SG | 18.141.10.107:80 | acwjcqqv.biz | tcp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 34.193.97.35:80 | fwiwk.biz | tcp |
| US | 34.193.97.35:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| IE | 34.246.200.160:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | lejtdj.biz | udp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 8.8.8.8:53 | vyome.biz | udp |
| US | 18.208.156.248:80 | deoci.biz | tcp |
| US | 44.213.104.86:80 | vyome.biz | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 18.208.156.248:80 | deoci.biz | tcp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | iuzpxe.biz | udp |
| SG | 13.251.16.150:80 | iuzpxe.biz | tcp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| SG | 13.251.16.150:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | sxmiywsfv.biz | udp |
| SG | 13.251.16.150:80 | sxmiywsfv.biz | tcp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 44.221.84.105:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 54.244.188.177:80 | dwrqljrr.biz | tcp |
| US | 8.8.8.8:53 | nqwjmb.biz | udp |
| US | 35.164.78.200:80 | nqwjmb.biz | tcp |
| US | 8.8.8.8:53 | vrrazpdh.biz | udp |
| US | 34.211.97.45:80 | vrrazpdh.biz | tcp |
| US | 3.94.10.34:80 | ytctnunms.biz | tcp |
| US | 8.8.8.8:53 | myups.biz | udp |
| US | 165.160.13.20:80 | myups.biz | tcp |
| US | 8.8.8.8:53 | ftxlah.biz | udp |
| US | 34.218.204.173:80 | ftxlah.biz | tcp |
| US | 8.8.8.8:53 | oshhkdluh.biz | udp |
| US | 54.244.188.177:80 | oshhkdluh.biz | tcp |
| US | 8.8.8.8:53 | typgfhb.biz | udp |
| SG | 13.251.16.150:80 | typgfhb.biz | tcp |
| US | 8.8.8.8:53 | yunalwv.biz | udp |
| US | 8.8.8.8:53 | jpskm.biz | udp |
| US | 34.211.97.45:80 | jpskm.biz | tcp |
| US | 8.8.8.8:53 | esuzf.biz | udp |
| US | 34.211.97.45:80 | esuzf.biz | tcp |
| US | 8.8.8.8:53 | lrxdmhrr.biz | udp |
| US | 54.244.188.177:80 | lrxdmhrr.biz | tcp |
| US | 8.8.8.8:53 | gvijgjwkh.biz | udp |
| US | 3.94.10.34:80 | gvijgjwkh.biz | tcp |
| US | 8.8.8.8:53 | wllvnzb.biz | udp |
| SG | 18.141.10.107:80 | wllvnzb.biz | tcp |
| US | 8.8.8.8:53 | qpnczch.biz | udp |
| US | 44.213.104.86:80 | qpnczch.biz | tcp |
| US | 8.8.8.8:53 | brsua.biz | udp |
| IE | 3.254.94.185:80 | brsua.biz | tcp |
| US | 8.8.8.8:53 | dlynankz.biz | udp |
| DE | 85.214.228.140:80 | dlynankz.biz | tcp |
| US | 8.8.8.8:53 | oflybfv.biz | udp |
| US | 44.200.43.61:80 | oflybfv.biz | tcp |
| US | 8.8.8.8:53 | yhqqc.biz | udp |
| US | 34.211.97.45:80 | yhqqc.biz | tcp |
| US | 8.8.8.8:53 | gnqgo.biz | udp |
| US | 18.208.156.248:80 | gnqgo.biz | tcp |
| US | 8.8.8.8:53 | jhvzpcfg.biz | udp |
| US | 44.221.84.105:80 | jhvzpcfg.biz | tcp |
| US | 8.8.8.8:53 | mnjmhp.biz | udp |
| US | 44.200.43.61:80 | mnjmhp.biz | tcp |
| US | 8.8.8.8:53 | acwjcqqv.biz | udp |
| SG | 18.141.10.107:80 | acwjcqqv.biz | tcp |
| US | 8.8.8.8:53 | opowhhece.biz | udp |
| US | 18.208.156.248:80 | opowhhece.biz | tcp |
| US | 8.8.8.8:53 | zjbpaao.biz | udp |
| US | 8.8.8.8:53 | jdhhbs.biz | udp |
| SG | 13.251.16.150:80 | jdhhbs.biz | tcp |
| US | 8.8.8.8:53 | lejtdj.biz | udp |
| US | 8.8.8.8:53 | vyome.biz | udp |
| US | 44.213.104.86:80 | vyome.biz | tcp |
| US | 8.8.8.8:53 | yauexmxk.biz | udp |
| US | 18.208.156.248:80 | yauexmxk.biz | tcp |
| US | 8.8.8.8:53 | mgmsclkyu.biz | udp |
| IE | 34.246.200.160:80 | mgmsclkyu.biz | tcp |
| US | 8.8.8.8:53 | iuzpxe.biz | udp |
| SG | 13.251.16.150:80 | iuzpxe.biz | tcp |
| US | 8.8.8.8:53 | warkcdu.biz | udp |
| SG | 18.141.10.107:80 | warkcdu.biz | tcp |
| US | 8.8.8.8:53 | gcedd.biz | udp |
| SG | 13.251.16.150:80 | gcedd.biz | tcp |
| US | 8.8.8.8:53 | jwkoeoqns.biz | udp |
| US | 18.208.156.248:80 | jwkoeoqns.biz | tcp |
| US | 8.8.8.8:53 | xccjj.biz | udp |
| US | 44.213.104.86:80 | xccjj.biz | tcp |
| US | 8.8.8.8:53 | sxmiywsfv.biz | udp |
| SG | 13.251.16.150:80 | sxmiywsfv.biz | tcp |
| US | 8.8.8.8:53 | hehckyov.biz | udp |
| US | 44.221.84.105:80 | hehckyov.biz | tcp |
| US | 8.8.8.8:53 | rynmcq.biz | udp |
| US | 54.244.188.177:80 | rynmcq.biz | tcp |
| US | 8.8.8.8:53 | uaafd.biz | udp |
| IE | 3.254.94.185:80 | uaafd.biz | tcp |
| US | 8.8.8.8:53 | eufxebus.biz | udp |
| SG | 18.141.10.107:80 | eufxebus.biz | tcp |
| US | 8.8.8.8:53 | vrrazpdh.biz | udp |
| US | 34.211.97.45:80 | vrrazpdh.biz | tcp |
| US | 8.8.8.8:53 | ftxlah.biz | udp |
| US | 34.218.204.173:80 | ftxlah.biz | tcp |
| US | 8.8.8.8:53 | typgfhb.biz | udp |
| US | 8.8.8.8:53 | pwlqfu.biz | udp |
| SG | 13.251.16.150:80 | typgfhb.biz | tcp |
| IE | 34.246.200.160:80 | pwlqfu.biz | tcp |
| US | 8.8.8.8:53 | rrqafepng.biz | udp |
| US | 44.200.43.61:80 | rrqafepng.biz | tcp |
| US | 8.8.8.8:53 | ctdtgwag.biz | udp |
| US | 3.94.10.34:80 | ctdtgwag.biz | tcp |
| US | 8.8.8.8:53 | tnevuluw.biz | udp |
| US | 35.164.78.200:80 | tnevuluw.biz | tcp |
| US | 8.8.8.8:53 | esuzf.biz | udp |
| US | 34.211.97.45:80 | esuzf.biz | tcp |
| US | 8.8.8.8:53 | whjovd.biz | udp |
| SG | 18.141.10.107:80 | whjovd.biz | tcp |
| US | 8.8.8.8:53 | gvijgjwkh.biz | udp |
| US | 3.94.10.34:80 | gvijgjwkh.biz | tcp |
| US | 8.8.8.8:53 | qpnczch.biz | udp |
| US | 44.213.104.86:80 | qpnczch.biz | tcp |
| US | 8.8.8.8:53 | brsua.biz | udp |
| IE | 3.254.94.185:80 | brsua.biz | tcp |
| US | 8.8.8.8:53 | dlynankz.biz | udp |
| DE | 85.214.228.140:80 | dlynankz.biz | tcp |
| US | 8.8.8.8:53 | gjogvvpsf.biz | udp |
| US | 8.8.8.8:53 | oflybfv.biz | udp |
| US | 44.200.43.61:80 | oflybfv.biz | tcp |
| US | 8.8.8.8:53 | yhqqc.biz | udp |
| US | 8.8.8.8:53 | reczwga.biz | udp |
| US | 34.211.97.45:80 | yhqqc.biz | tcp |
| US | 44.221.84.105:80 | reczwga.biz | tcp |
| US | 8.8.8.8:53 | bghjpy.biz | udp |
| US | 34.211.97.45:80 | bghjpy.biz | tcp |
| US | 8.8.8.8:53 | mnjmhp.biz | udp |
| US | 44.200.43.61:80 | mnjmhp.biz | tcp |
| US | 8.8.8.8:53 | opowhhece.biz | udp |
| US | 8.8.8.8:53 | damcprvgv.biz | udp |
| US | 18.208.156.248:80 | damcprvgv.biz | tcp |
| US | 18.208.156.248:80 | damcprvgv.biz | tcp |
| US | 8.8.8.8:53 | zjbpaao.biz | udp |
| US | 8.8.8.8:53 | ocsvqjg.biz | udp |
| IE | 3.254.94.185:80 | ocsvqjg.biz | tcp |
| US | 8.8.8.8:53 | jdhhbs.biz | udp |
| SG | 13.251.16.150:80 | jdhhbs.biz | tcp |
| US | 8.8.8.8:53 | ywffr.biz | udp |
| US | 54.244.188.177:80 | ywffr.biz | tcp |
| US | 8.8.8.8:53 | ecxbwt.biz | udp |
| US | 54.244.188.177:80 | ecxbwt.biz | tcp |
| US | 8.8.8.8:53 | mgmsclkyu.biz | udp |
| IE | 34.246.200.160:80 | mgmsclkyu.biz | tcp |
| US | 8.8.8.8:53 | pectx.biz | udp |
| US | 44.213.104.86:80 | pectx.biz | tcp |
| US | 8.8.8.8:53 | warkcdu.biz | udp |
| SG | 18.141.10.107:80 | warkcdu.biz | tcp |
| US | 8.8.8.8:53 | zyiexezl.biz | udp |
| US | 18.208.156.248:80 | zyiexezl.biz | tcp |
| US | 8.8.8.8:53 | banwyw.biz | udp |
| US | 44.221.84.105:80 | banwyw.biz | tcp |
| US | 8.8.8.8:53 | muapr.biz | udp |
| US | 8.8.8.8:53 | wxgzshna.biz | udp |
| US | 8.8.8.8:53 | zrlssa.biz | udp |
| US | 44.221.84.105:80 | zrlssa.biz | tcp |
| US | 8.8.8.8:53 | jlqltsjvh.biz | udp |
| SG | 18.141.10.107:80 | jlqltsjvh.biz | tcp |
| US | 8.8.8.8:53 | gcedd.biz | udp |
| SG | 13.251.16.150:80 | gcedd.biz | tcp |
| US | 8.8.8.8:53 | xyrgy.biz | udp |
| US | 18.208.156.248:80 | xyrgy.biz | tcp |
| SG | 13.251.16.150:80 | gcedd.biz | tcp |
| US | 8.8.8.8:53 | htwqzczce.biz | udp |
| US | 54.157.24.8:80 | htwqzczce.biz | tcp |
| US | 54.157.24.8:80 | htwqzczce.biz | tcp |
| US | 8.8.8.8:53 | kvbjaur.biz | udp |
| US | 54.244.188.177:80 | kvbjaur.biz | tcp |
| US | 8.8.8.8:53 | uphca.biz | udp |
| US | 44.221.84.105:80 | uphca.biz | tcp |
| US | 8.8.8.8:53 | jwkoeoqns.biz | udp |
| US | 18.208.156.248:80 | jwkoeoqns.biz | tcp |
| US | 8.8.8.8:53 | fjumtfnz.biz | udp |
| US | 34.211.97.45:80 | fjumtfnz.biz | tcp |
| US | 8.8.8.8:53 | xccjj.biz | udp |
| US | 44.213.104.86:80 | xccjj.biz | tcp |
| US | 8.8.8.8:53 | hehckyov.biz | udp |
| US | 44.221.84.105:80 | hehckyov.biz | tcp |
| US | 8.8.8.8:53 | hlzfuyy.biz | udp |
| US | 34.211.97.45:80 | hlzfuyy.biz | tcp |
| US | 8.8.8.8:53 | rynmcq.biz | udp |
| US | 54.244.188.177:80 | rynmcq.biz | tcp |
| US | 8.8.8.8:53 | rffxu.biz | udp |
| IE | 34.246.200.160:80 | rffxu.biz | tcp |
| US | 8.8.8.8:53 | uaafd.biz | udp |
| IE | 3.254.94.185:80 | uaafd.biz | tcp |
| US | 8.8.8.8:53 | cikivjto.biz | udp |
| US | 44.213.104.86:80 | cikivjto.biz | tcp |
| US | 8.8.8.8:53 | eufxebus.biz | udp |
| SG | 18.141.10.107:80 | eufxebus.biz | tcp |
| US | 8.8.8.8:53 | qncdaagct.biz | udp |
| US | 34.218.204.173:80 | qncdaagct.biz | tcp |
| US | 8.8.8.8:53 | shpwbsrw.biz | udp |
| SG | 13.251.16.150:80 | shpwbsrw.biz | tcp |
| US | 8.8.8.8:53 | pwlqfu.biz | udp |
| IE | 34.246.200.160:80 | pwlqfu.biz | tcp |
| US | 8.8.8.8:53 | rrqafepng.biz | udp |
| US | 44.200.43.61:80 | rrqafepng.biz | tcp |
| US | 8.8.8.8:53 | ctdtgwag.biz | udp |
| US | 3.94.10.34:80 | ctdtgwag.biz | tcp |
| US | 8.8.8.8:53 | cjvgcl.biz | udp |
| US | 18.208.156.248:80 | cjvgcl.biz | tcp |
| US | 8.8.8.8:53 | tnevuluw.biz | udp |
| US | 35.164.78.200:80 | tnevuluw.biz | tcp |
| US | 8.8.8.8:53 | neazudmrq.biz | udp |
| US | 44.221.84.105:80 | neazudmrq.biz | tcp |
| US | 8.8.8.8:53 | pgfsvwx.biz | udp |
| US | 18.208.156.248:80 | pgfsvwx.biz | tcp |
| US | 8.8.8.8:53 | whjovd.biz | udp |
| SG | 18.141.10.107:80 | whjovd.biz | tcp |
| US | 8.8.8.8:53 | aatcwo.biz | udp |
| US | 34.218.204.173:80 | aatcwo.biz | tcp |
| US | 8.8.8.8:53 | kcyvxytog.biz | udp |
| US | 18.208.156.248:80 | kcyvxytog.biz | tcp |
| US | 8.8.8.8:53 | nwdnxrd.biz | udp |
| US | 54.244.188.177:80 | nwdnxrd.biz | tcp |
| US | 8.8.8.8:53 | gjogvvpsf.biz | udp |
| US | 8.8.8.8:53 | reczwga.biz | udp |
| US | 8.8.8.8:53 | ereplfx.biz | udp |
| US | 44.213.104.86:80 | ereplfx.biz | tcp |
| US | 44.221.84.105:80 | reczwga.biz | tcp |
| US | 8.8.8.8:53 | ptrim.biz | udp |
| US | 8.8.8.8:53 | bghjpy.biz | udp |
| SG | 18.141.10.107:80 | ptrim.biz | tcp |
| US | 34.211.97.45:80 | bghjpy.biz | tcp |
| US | 8.8.8.8:53 | damcprvgv.biz | udp |
| US | 18.208.156.248:80 | damcprvgv.biz | tcp |
| US | 8.8.8.8:53 | ocsvqjg.biz | udp |
| IE | 3.254.94.185:80 | ocsvqjg.biz | tcp |
| US | 8.8.8.8:53 | znwbniskf.biz | udp |
| US | 34.218.204.173:80 | znwbniskf.biz | tcp |
| US | 8.8.8.8:53 | ywffr.biz | udp |
| US | 54.244.188.177:80 | ywffr.biz | tcp |
| US | 8.8.8.8:53 | cpclnad.biz | udp |
| US | 44.221.84.105:80 | cpclnad.biz | tcp |
| US | 8.8.8.8:53 | ecxbwt.biz | udp |
| US | 54.244.188.177:80 | ecxbwt.biz | tcp |
| US | 8.8.8.8:53 | mjheo.biz | udp |
| US | 44.221.84.105:80 | mjheo.biz | tcp |
| US | 8.8.8.8:53 | wluwplyh.biz | udp |
| SG | 18.141.10.107:80 | wluwplyh.biz | tcp |
| US | 8.8.8.8:53 | pectx.biz | udp |
| US | 44.213.104.86:80 | pectx.biz | tcp |
| US | 8.8.8.8:53 | zyiexezl.biz | udp |
| US | 18.208.156.248:80 | zyiexezl.biz | tcp |
| US | 8.8.8.8:53 | banwyw.biz | udp |
| US | 44.221.84.105:80 | banwyw.biz | tcp |
| US | 8.8.8.8:53 | muapr.biz | udp |
| US | 8.8.8.8:53 | wxgzshna.biz | udp |
| US | 8.8.8.8:53 | zrlssa.biz | udp |
| US | 44.221.84.105:80 | zrlssa.biz | tcp |
| US | 8.8.8.8:53 | zgapiej.biz | udp |
| US | 18.208.156.248:80 | zgapiej.biz | tcp |
| US | 8.8.8.8:53 | jlqltsjvh.biz | udp |
| SG | 18.141.10.107:80 | jlqltsjvh.biz | tcp |
| US | 8.8.8.8:53 | jifai.biz | udp |
| US | 44.221.84.105:80 | jifai.biz | tcp |
| US | 8.8.8.8:53 | xnxvnn.biz | udp |
| SG | 13.251.16.150:80 | xnxvnn.biz | tcp |
| US | 8.8.8.8:53 | xyrgy.biz | udp |
| US | 18.208.156.248:80 | xyrgy.biz | tcp |
| US | 8.8.8.8:53 | htwqzczce.biz | udp |
| US | 54.157.24.8:80 | htwqzczce.biz | tcp |
| US | 8.8.8.8:53 | ihcnogskt.biz | udp |
| US | 35.164.78.200:80 | ihcnogskt.biz | tcp |
| US | 8.8.8.8:53 | kkqypycm.biz | udp |
| SG | 18.141.10.107:80 | kkqypycm.biz | tcp |
| US | 8.8.8.8:53 | uevrpr.biz | udp |
| US | 44.213.104.86:80 | uevrpr.biz | tcp |
| US | 8.8.8.8:53 | fgajqjyhr.biz | udp |
| US | 34.211.97.45:80 | fgajqjyhr.biz | tcp |
| US | 8.8.8.8:53 | hagujcj.biz | udp |
| US | 18.208.156.248:80 | hagujcj.biz | tcp |
| US | 8.8.8.8:53 | sctmku.biz | udp |
| US | 35.164.78.200:80 | sctmku.biz | tcp |
| US | 54.157.24.8:80 | htwqzczce.biz | tcp |
| US | 8.8.8.8:53 | kvbjaur.biz | udp |
| US | 8.8.8.8:53 | cwyfknmwh.biz | udp |
| US | 54.244.188.177:80 | kvbjaur.biz | tcp |
| US | 8.8.8.8:53 | qcrsp.biz | udp |
| US | 34.211.97.45:80 | qcrsp.biz | tcp |
| US | 8.8.8.8:53 | uphca.biz | udp |
| US | 44.221.84.105:80 | uphca.biz | tcp |
| US | 8.8.8.8:53 | sewlqwcd.biz | udp |
| US | 44.221.84.105:80 | sewlqwcd.biz | tcp |
| US | 8.8.8.8:53 | fjumtfnz.biz | udp |
| US | 34.211.97.45:80 | fjumtfnz.biz | tcp |
| US | 8.8.8.8:53 | dyjdrp.biz | udp |
| US | 54.244.188.177:80 | dyjdrp.biz | tcp |
| US | 8.8.8.8:53 | hlzfuyy.biz | udp |
| US | 8.8.8.8:53 | napws.biz | udp |
| US | 35.164.78.200:80 | napws.biz | tcp |
| US | 34.211.97.45:80 | hlzfuyy.biz | tcp |
| US | 8.8.8.8:53 | rffxu.biz | udp |
| US | 8.8.8.8:53 | qvuhsaqa.biz | udp |
| IE | 34.246.200.160:80 | rffxu.biz | tcp |
| US | 54.244.188.177:80 | qvuhsaqa.biz | tcp |
| US | 8.8.8.8:53 | cikivjto.biz | udp |
| US | 44.213.104.86:80 | cikivjto.biz | tcp |
| US | 8.8.8.8:53 | qncdaagct.biz | udp |
| US | 8.8.8.8:53 | apzzls.biz | udp |
| US | 34.218.204.173:80 | qncdaagct.biz | tcp |
| US | 34.211.97.45:80 | apzzls.biz | tcp |
| US | 8.8.8.8:53 | krnsmlmvd.biz | udp |
| US | 8.8.8.8:53 | shpwbsrw.biz | udp |
| SG | 13.251.16.150:80 | shpwbsrw.biz | tcp |
| US | 34.218.204.173:80 | krnsmlmvd.biz | tcp |
| US | 8.8.8.8:53 | nlscndwp.biz | udp |
| US | 54.244.188.177:80 | nlscndwp.biz | tcp |
| US | 8.8.8.8:53 | bzkysubds.biz | udp |
| US | 8.8.8.8:53 | cjvgcl.biz | udp |
| US | 18.208.156.248:80 | cjvgcl.biz | tcp |
| US | 3.94.10.34:80 | bzkysubds.biz | tcp |
| US | 8.8.8.8:53 | neazudmrq.biz | udp |
| US | 8.8.8.8:53 | ltpqsnu.biz | udp |
| US | 44.221.84.105:80 | neazudmrq.biz | tcp |
| US | 18.208.156.248:80 | ltpqsnu.biz | tcp |
| US | 8.8.8.8:53 | pgfsvwx.biz | udp |
| US | 8.8.8.8:53 | vnvbt.biz | udp |
| US | 44.213.104.86:80 | vnvbt.biz | tcp |
| US | 18.208.156.248:80 | pgfsvwx.biz | tcp |
| US | 8.8.8.8:53 | ypituyqsq.biz | udp |
| US | 8.8.8.8:53 | aatcwo.biz | udp |
| US | 3.94.10.34:80 | ypituyqsq.biz | tcp |
| US | 34.218.204.173:80 | aatcwo.biz | tcp |
| US | 8.8.8.8:53 | ijnmvqa.biz | udp |
| US | 35.164.78.200:80 | ijnmvqa.biz | tcp |
| US | 8.8.8.8:53 | kcyvxytog.biz | udp |
| US | 18.208.156.248:80 | kcyvxytog.biz | tcp |
| US | 8.8.8.8:53 | nwdnxrd.biz | udp |
| US | 54.244.188.177:80 | nwdnxrd.biz | tcp |
| US | 8.8.8.8:53 | tltxn.biz | udp |
| US | 18.208.156.248:80 | tltxn.biz | tcp |
| US | 8.8.8.8:53 | vgypotwp.biz | udp |
| US | 54.244.188.177:80 | vgypotwp.biz | tcp |
| US | 8.8.8.8:53 | ereplfx.biz | udp |
| US | 44.213.104.86:80 | ereplfx.biz | tcp |
| US | 8.8.8.8:53 | ptrim.biz | udp |
| SG | 18.141.10.107:80 | ptrim.biz | tcp |
| US | 8.8.8.8:53 | giliplg.biz | udp |
| US | 44.213.104.86:80 | giliplg.biz | tcp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 54.244.188.177:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | udp | |
| SG | 18.141.10.107:80 | tcp |
Files
memory/2236-5-0x0000000002750000-0x00000000027B7000-memory.dmp
memory/2236-0-0x0000000002750000-0x00000000027B7000-memory.dmp
memory/2236-9-0x0000000000400000-0x0000000002742000-memory.dmp
memory/2236-10-0x0000000004B40000-0x0000000004B41000-memory.dmp
memory/2236-11-0x0000000005360000-0x0000000005361000-memory.dmp
memory/2236-12-0x0000000005370000-0x0000000005371000-memory.dmp
memory/2236-15-0x0000000005390000-0x0000000005391000-memory.dmp
\Windows\System32\alg.exe
| MD5 | 5f5e55637be2d0589bae1497cb8c3887 |
| SHA1 | e5301399ca319b9676e755057877d1a202f21923 |
| SHA256 | bfb579d89174e2d3fc9ab986b3b1d24bfb36fb6df40cf43d78b74da5ffa5070f |
| SHA512 | 3d8e9555e2d4bf9d2714f9966a486e17b1283557ffb0a0aff2cfcefa51e56a990db845fea1e715483224d5d0d1fce9dcf9117e6a0ad38458fc4eb22920b5516f |
memory/2236-14-0x0000000005380000-0x0000000005381000-memory.dmp
memory/2236-20-0x00000000053C0000-0x00000000053C1000-memory.dmp
memory/1148-19-0x0000000000430000-0x0000000000490000-memory.dmp
memory/2236-18-0x00000000053B0000-0x00000000053B1000-memory.dmp
memory/2236-17-0x00000000053A0000-0x00000000053A1000-memory.dmp
memory/1148-29-0x0000000000430000-0x0000000000490000-memory.dmp
memory/2236-28-0x0000000000400000-0x0000000002742000-memory.dmp
memory/1148-31-0x0000000100000000-0x00000001001E3000-memory.dmp
\Users\Admin\AppData\Local\Temp\gcapi_17182060182236.dll
| MD5 | f637d5d3c3a60fddb5dd397556fe9b1d |
| SHA1 | 66f0c4f137870a9927400ea00facc00193ef21e3 |
| SHA256 | 641b843cb6ee7538ec267212694c9ef0616b9ac9ab14a0abd7cf020678d50b02 |
| SHA512 | e96984f2f9c6858e989f10fd8e71b09a8a640c9be2fb87ac1692d9bca7107d7a837f8fbdcc46c01a6107dd9020994c5a6f975b7e16434e9b2bf1c43b1f0d8b31 |
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
| MD5 | 044091ace917c13227f576e56e323aa4 |
| SHA1 | 61a35ebf5f3abe2c05e4c3eb64e2461b2ddc8e7b |
| SHA256 | c41d9134a6cc8d779efd21c9cc819d4984f50897f837bf98313b1f5919677dc7 |
| SHA512 | 4eb6fcb69637fae3fd9e744144e93c2e1e05036be5ebf1f6999b42c9cb02f3d14e66c488a209951e744202a9ad4ad9377d398b243d33cc970d9450e02a274bf1 |
memory/2236-41-0x0000000000400000-0x0000000002742000-memory.dmp
memory/2836-42-0x0000000140000000-0x00000001401DC000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
| MD5 | efccc599b54336bdae917a05676cee1a |
| SHA1 | 4172e14dcd99ac21b00812a2e48ff6547d142033 |
| SHA256 | 11beef756b00ffef88d06781ad4f95b8d3ec5ab81f5fc95c426996183d3d215a |
| SHA512 | 4f0e571256e32490e939ed131f3edf5d2dea02c9835551c0cae7ceb88cf20ea7137f3c46d72dc5fa1ea58b95dbba846c08c8150ecac0d56128e1c909d5bb7c9a |
memory/2548-50-0x0000000000340000-0x00000000003A7000-memory.dmp
memory/2548-45-0x0000000000340000-0x00000000003A7000-memory.dmp
memory/2548-52-0x0000000010000000-0x00000000101DE000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
| MD5 | 7645ea1a7317fc603571acdbc6e76b72 |
| SHA1 | 31a5723b7d755e887a10c3d30cb9918fe224c410 |
| SHA256 | 4795853c6ce0549a13a8a0b903595da52edf30ab44456f41ce87d394355e9049 |
| SHA512 | 63654e4efade6105839f80d4f86ae1bb048d7b8e3aa48cd5a2728b6be7e64b29fd43ea271e69aa6ce4a572b8c85e3b82452bdda9b83ce22cf9e1cfbf0b7e461f |
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
| MD5 | dbfb16f993914c00ce74e7c7636efed2 |
| SHA1 | e528cdedfb5d097ccbee568492389fdc11020b76 |
| SHA256 | e6157218415284c36fb30c8f7b12a046216512d27567a831141a6255fc3d025f |
| SHA512 | ac31f0c432ec8c842798a94e7e2c6ec82d25c620e0e00ade844c0b3d9194c68db772c51011a025051e2f92a5a001765bea252994e22de4c79bbd07f257521d4d |
memory/752-65-0x0000000010000000-0x00000000101E6000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
| MD5 | 2baeb0eb5188c81e3cb0420fd98dccb5 |
| SHA1 | 6211252502871796d38dd95e5a037d82e02a40c0 |
| SHA256 | 826c515bb0e02182e3127f26232e71349f03cd1a4d47796a5824b5fc63111826 |
| SHA512 | 14f6591711f66a97a8c521c3fd89516a9226ed1643cd71a111a90429995ad2d8b9b537265e47187eba20ad14e6f8b7f253a4704306ebacd30d8f79a246713286 |
memory/2548-66-0x0000000010000000-0x00000000101DE000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | a0b671bdefee3dc6560248283a8c9524 |
| SHA1 | 6ef3e86fa70ca456290cc378d9589bc07fba2623 |
| SHA256 | a982be00ad4d431999787b2858001767a9a1777cb6d8e5a5906154865909b96e |
| SHA512 | ea356db7309a946067391f4e34360e78e147e318298567fd8692f76b39dc8c332b6d0d62c94a3a5bb4d7f7f6224b2860563f0ecb9f42a6c8dd3ee1b86bb7f93f |
memory/1920-74-0x0000000000380000-0x00000000003E7000-memory.dmp
memory/1920-79-0x0000000000380000-0x00000000003E7000-memory.dmp
memory/1920-81-0x0000000000400000-0x00000000005E7000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
| MD5 | 40743e80c92e96f5aada5103f9cd2ac3 |
| SHA1 | 7cd20c9ed15e8d76efd736ae7b5ee34c74e8ff6c |
| SHA256 | dcd0c6f39447a33f4c6b7600acc6b127addf239264344fa8d9af31a5e2a4422b |
| SHA512 | e0c9e6195f3bd77635e9ce21579d4c908c3da9c6a44af5b18f87cc1ce3275af741d636b502493b738d2ad0003cd0e46dcabaea9bdfb4fdcc5711b19ced479bba |
memory/1824-94-0x00000000001E0000-0x0000000000240000-memory.dmp
memory/1824-88-0x00000000001E0000-0x0000000000240000-memory.dmp
memory/2236-106-0x0000000009640000-0x0000000009650000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
| MD5 | cc1175dd86d7a970b7042009e79f5255 |
| SHA1 | 104c164cb0d20e79235b2e6acbf38a00148bfb77 |
| SHA256 | ea86999cd13f05d87bf60ed22da787eb86df52d73819fade67f626f74d75c137 |
| SHA512 | e72b448e14ff8cc9b62d8dcc590c44cc314079f6d17e4d59a5adca6e6f6e8b895b5897bee00123968cc04495321b416c4fd884bba3fdff7e9d936c53b10517da |
memory/2236-100-0x00000000094A0000-0x00000000094B0000-memory.dmp
C:\Windows\System32\dllhost.exe
| MD5 | 872f2a03d5c3f692d1542dbb4c623768 |
| SHA1 | fb5096795215d9b2e9712eee8d907f1dd193b0bf |
| SHA256 | e920c32fab76a68e647885b848d68e3a6ac56478f5520c97085f1fc360b14fa7 |
| SHA512 | 6ae9c74744906c93a843425c71d1e220c8533a744e0288134984154d9b334a25d5b80399a9bc79d1e3b757f5c87aae78b3e2c982d8a9bf76aad08056e288abc9 |
memory/2236-153-0x0000000000400000-0x0000000002742000-memory.dmp
memory/1824-155-0x0000000140000000-0x00000001401ED000-memory.dmp
C:\Windows\ehome\ehrecvr.exe
| MD5 | 85da776047e0416ac34b3fe84c7b2a80 |
| SHA1 | c1797d9e7553ff02c6c437a7bb2ea77f76586a4c |
| SHA256 | 21685e10dad9dd15e800487dd91dc26449a66ced0fae5a64e5b86a3a9b94c692 |
| SHA512 | 11f2b1fa5db65a978c39f790d838f76e6f399190db1ac24147afd7da6158bbd019e4f4e89a24fbe634ca41c846307c4cf0b1832563afe779fbbd709f84a6d1ce |
memory/2168-176-0x0000000100000000-0x00000001001D4000-memory.dmp
C:\Windows\ehome\ehsched.exe
| MD5 | 972d6b175bf7af53303549c1d9068b59 |
| SHA1 | d178f24709ad5239a4160b74d8ac82801cabdbaf |
| SHA256 | f3de870b9d37e3a6bb155a5de7c073a158cc0baef14e0134a2274e77e345051b |
| SHA512 | dc8b812d8c3576ba6e89840af48672dcd889ac03074655556c53ea92ff1e152303e0d8ef664059766eef9bf438c3a46df8360f8f5de29fbc4798e3d47c160a87 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
| MD5 | 26090c4d1a18e5e72b0639ff690d304e |
| SHA1 | eea9be22a5dec4b6c8cbd5de66b996041263e686 |
| SHA256 | e026649e8c0b399394b184f3a7382c1fac2cfa65c27841e91690ebc17b74c098 |
| SHA512 | e9619dc6bf2eff2bd5aa5bbc717f9df7b4e3a66993cd7d9fce8c0809f12d65fc621ea17284081548304821e3bc2d3e584b892b830557f3825b14039027eb0fd6 |
memory/2236-227-0x0000000000400000-0x0000000002742000-memory.dmp
memory/1336-231-0x0000000100000000-0x00000001001D4000-memory.dmp
memory/2428-229-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/2360-228-0x0000000140000000-0x000000014013C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
| MD5 | 6c16d581164088624820017cb08be8d5 |
| SHA1 | 17f5ad39b0d890e1adff995da60ffafda5c86eed |
| SHA256 | ac353f5fbdc6a89bbc95bff4e346b4fc751d3155432fccf3793ea00b87136944 |
| SHA512 | 60e1ced0361ad648108a19fe218c1aa27e852d5349e9b98d11e93b906f5fd70a7be31c318a818246c2004ae067669652e69b14c77c7e96d864048e35c9090244 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk
| MD5 | 374012fe6f381c1f9edd1893db20f666 |
| SHA1 | 00a01c49398d1c599ea114ff5125b73c491e8223 |
| SHA256 | 8002ce98aba28a2ba7ada11383b46a408c2499e9dbaae16272c19eb8def187d7 |
| SHA512 | 2999a8210e4a0215139033a08bb96b93d316763edcce366ee295f14fe420e416544e94f57d99eaad9e6be1f5844f3e8842f8b0cd3ce935189afd15c51d64713b |
memory/1148-241-0x0000000100000000-0x00000001001E3000-memory.dmp
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
| MD5 | 515ce172df002da7bcb59cfe437979c7 |
| SHA1 | 94ebc29af01922df1cf1df581bf6b62f0b0a8536 |
| SHA256 | 71b9565d376daa4983573a0d85e750e70d91a7057cac228eaf21c722d4eee682 |
| SHA512 | 717b0080ce1490439832baf20d13920456f04134728fc56458c78a5634c1206e66fd3937c7195fe3d847547ad517f17f4522c2ba4745bb34b29f823b7af671c1 |
memory/2576-259-0x0000000140000000-0x0000000140237000-memory.dmp
\Windows\System32\ieetwcollector.exe
| MD5 | 69086cd0026fc0e484edbfeacdcf3523 |
| SHA1 | 164064301a59e18db5db51e26bd8ad7a73b5a853 |
| SHA256 | a3ec9335f2facefcd80fb6e265343982baf063949f577822b5975f4a018f415b |
| SHA512 | 0b65800be9cc3b60729d4d4721171ff8ff582b35b97a6c44bc26f58877f5873c46d40110e42e8049ee9edd3a2eae9e4565cf6195d740e4be41e32802ee1224b3 |
memory/2800-277-0x0000000140000000-0x00000001401ED000-memory.dmp
memory/2236-258-0x0000000000400000-0x0000000002742000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YIJSEOI3.txt
| MD5 | ff52259b5088351501f6fd97da0f3888 |
| SHA1 | 91e6cddc4203e272ac8987bf2d11fb9ddb7c9d74 |
| SHA256 | 4aead69e8be4f7afe63f5514d8471bca46fbd2bf15d55cf66b7ed65a7e5ee865 |
| SHA512 | 6c52e57cfc5b350bc44e00105a960ca8d569e7ad1a1ce8f64dfa379efc297585b2802c9df628d8cddacb97b4a1b5f9f9965bcceb6b1ddeddd7cfd73293639220 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ZVF3Y91C.txt
| MD5 | 74055ee58998759207d8bdccf3554117 |
| SHA1 | b6feb6511a524a1b6fb206df6d7c5f2c64446f48 |
| SHA256 | 5dbf06e2fa12abb829c5a24aee459fb460d3d63b4f4ba05d649dd9cf9c60cbb9 |
| SHA512 | 2804b667d282765439704b95ffd5d010eb5e9eecf6dd75becd59bdfe7d5b35dffa913ce3155b548e8b4ac2d095cc2c9dce8ce617376ef58f4723af536e8b1047 |
memory/916-318-0x0000000100000000-0x00000001001D4000-memory.dmp
memory/2836-317-0x0000000140000000-0x00000001401DC000-memory.dmp
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
| MD5 | 07665713f1f63aeb76512b40c1fecc1d |
| SHA1 | 046c6ae2c0e8663c0faee4b4d56e1fcc837851e4 |
| SHA256 | 07360af897485421770cdd6c19aad04741aebbdd1f57f623d8e938003535249e |
| SHA512 | a77d871dba42cfcfe39d3c39d7dfcd0d4d66532e24320e0d4a6cb505823c6b5ed86127fcbd726d36ab330c5d3f23d5ecdff2333e88446954b27cdaa178da1db8 |
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | fad7c4bf74a7bfb45ec4e4d3a8ecfdd6 |
| SHA1 | f21e91d068d1fd99bf459610bb865a8230754e52 |
| SHA256 | e27c9f422da99d231b4007bb796d31fbdc7d9d5ab8ba20818cb18d84fc181451 |
| SHA512 | 9bfe5f299b829d1e413910552e756c071a25b89ceaaee06b15bcbf0a02d3cdeac9635e0dd9f2425b5627a5c50f590e1c36d161632995acaffb508f7e3f595a0b |
memory/1344-345-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1344-341-0x0000000140000000-0x0000000140209000-memory.dmp
memory/2568-329-0x000000002E000000-0x000000002FE1E000-memory.dmp
memory/2348-374-0x0000000000400000-0x00000000005E7000-memory.dmp
C:\Windows\System32\msdtc.exe
| MD5 | c2d2c825f1e3d0b1e177392009870256 |
| SHA1 | c31b64c5758170fbd56da692f2f410937a2fb32f |
| SHA256 | a28f704f1f614af2b25bdf73b4c66723bc262db529cfa0250c05b29d6f7d66dd |
| SHA512 | b3f6fef46bab97cf78f70a5812fe8efd437add2446ce52116b92f4da0cbaf16eab2064e43f3e0f5f87c2fbc96dcdef9e83d625753fb6aeb7e2f9c4d7db467f18 |
memory/2452-380-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/264-399-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/2348-402-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/2428-398-0x0000000140000000-0x00000001401F1000-memory.dmp
C:\Windows\system32\msiexec.exe
| MD5 | 34d50de7f7a0624920acbf6b4b1c2e83 |
| SHA1 | 5a1e11d63a833fb4f2a1f25cb4be6b6753564462 |
| SHA256 | ddcc9c7b9c046da6a263d618c6984acfe96429bc98a95eff3f69a40ccfd4a5ca |
| SHA512 | 8c088ba2ef62d1564bf94d322df3df4aabbb0428eb0139fdcb8ec96269a43302b50d635ca01859081dda5d956a154dde82a318e414bc351e721b63566b4812cb |
memory/264-415-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/1232-414-0x0000000000400000-0x00000000005E7000-memory.dmp
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | e0b0155b401bdc928df6840c9081d9e3 |
| SHA1 | dc644b646affbaaa5ec7256e2c09490c4ac23c3a |
| SHA256 | e21f5c327aa184bf9dc8b95a335e67470428d5aab9604c80f72b2611d535720a |
| SHA512 | 22f7c24e2323e88bd1d22e50d6219831748b10dcd8bfb66be7b17bc7c126a3e5f6f370417b35e70f915c58b38c3541ac7a7ca936d534684795baf9c05ab3e124 |
memory/2360-397-0x0000000140000000-0x000000014013C000-memory.dmp
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
| MD5 | 80593d3e37e371da09b2767cff24257f |
| SHA1 | a3af6d17b8ac4f13af8b9790897eefa523fba3ea |
| SHA256 | fa673652a47c21b579aefd68208b4ae3338b5672b891c7823472ac0e908d7071 |
| SHA512 | 853d1d3488575fa940c08a038e9c0014a7f40b68d4acf0d790db6547e294b5a4931953e722bc8c85265fd35099371800dfe28978aa28a65c32272a3f74fc3ff7 |
C:\Windows\SysWOW64\perfhost.exe
| MD5 | 108f6958c028efc7935a95c0ebae6121 |
| SHA1 | 1cd05e74847ac90fa9696fd736c939dede6e7dd6 |
| SHA256 | 3bb2e484e52f0a28aecced77dfa0680cb87205a0c9c850711c8b00ca08c87d9e |
| SHA512 | f1fe10dcb64181cca3bcd5bb3bfecc08b8d588890c6f0a7109fc69182e2ae72d569ea9f9e263fa67f46745bf40ff65069046d7a06aa1ce868e664888e5f07162 |
memory/2576-468-0x0000000140000000-0x0000000140237000-memory.dmp
\Windows\System32\Locator.exe
| MD5 | b639e23592549a243c449f1e7ba7a321 |
| SHA1 | 89cc5286b35d6f76f883b7c3c0eeb241d4e5051a |
| SHA256 | 3b91c95ad221cbf9c9119968c69c1406b0eece5cb347f00f7a00d163c3217816 |
| SHA512 | c7d5c6a6fdd6326bd014fb7d017370f61ebf00620a96970becf3647dc43c05e1bffea5b7b7eb91fa9fe6f881b3ce491d4cfc031ba0c9c9e042f0f1e8e1ede5fb |
C:\Windows\System32\snmptrap.exe
| MD5 | bee382fc8f3fee7a7542a014a6054090 |
| SHA1 | 6babb53f2b8b6117677a563f116d8f0ecf7acc68 |
| SHA256 | 6a58b4ae16154ef48aa1a175dc81208c9299f71cd42875c62886bb6117477984 |
| SHA512 | 1ecc8f534148cb44e9f20db31176fc19d4372419a06950b4cc51736693e3aa85cc3ec19eff5a02b33b6ec3c445329522efe971e227d8d73db1709485ac56d35c |
memory/1232-500-0x0000000000400000-0x00000000005E7000-memory.dmp
C:\Windows\System32\vds.exe
| MD5 | e8be96c589fece0c13e1f314ee0cbde2 |
| SHA1 | 72099368f8df6cc207488d6e4c63e8fdcb51601f |
| SHA256 | 164ee10c6d82ac205dc628a6730f0b9937c3b45b9f4dfa283ea8d8ecb30c1671 |
| SHA512 | 8eda374bf8d418239aef6e4430c74516211763d2bfdf31048302f26bc56adfca8e01c2a03212c391cd842e4ef346525c38aabe889687143055e64ab4ce845584 |
C:\Windows\System32\VSSVC.exe
| MD5 | c97d9910063fdfeb44c88b1874a93eb7 |
| SHA1 | f2c4da650b6ac4dba3d3efdc8314fc4578dd762d |
| SHA256 | cb13c178269696457826154b3ff39ec899b20184e0b7b9749d11633568a40c3e |
| SHA512 | 9df82dbe35c96ca0ee7e6c43d63fb8278e5441e6ab88de0f4b6efa44207327e63e5519f598df8ecb0872f9ee0c05f6e32e5750a948f6e4168de543b6fb547ad4 |
\Windows\System32\wbengine.exe
| MD5 | 871034efb8fb6ee792d3067b345e16ea |
| SHA1 | d2fc4ab9970428f89ad2ff75415fac44e9637ba8 |
| SHA256 | e72be92269785ff753d7fd7a1f0fa9b35586f48a93b34080aed3f336c97c854f |
| SHA512 | aa222c630e5494616b3d22f7d48a954448271a6e0a2e20501bee57ac2b10f6aad38bff07a47c7fa53c783300d5b178ebe49115c41c0b35dd6e70e075a52442d4 |
memory/2800-542-0x0000000140000000-0x00000001401ED000-memory.dmp
C:\Windows\System32\wbem\WmiApSrv.exe
| MD5 | 0f3da5340b13ca6f401b3a4f1686855d |
| SHA1 | 62637e99292aa1ef4ce9bb37c067d970cca28c21 |
| SHA256 | 17c5e91de0195bcbf44cc051bfa54dfd1be3d0a0429bb6eebd4c3f1445da0eab |
| SHA512 | 979f1192ead603b8f8396916e2f72f545b4d69fe8a987f1685064d6284392e08e13f5dc271e3d607b0347871acddadc1fff77645ccb632ecca659e2860b2320f |
C:\Program Files\Windows Media Player\wmpnetwk.exe
| MD5 | b26628eea1907b17c35750532ce4d849 |
| SHA1 | f6c8adfab00e3cf0503af297889744ee272154a9 |
| SHA256 | 9d0baf9331fe4f7ca9b262f0e46f2afcabc5f58282be7d23c6f1c19dbcf7376c |
| SHA512 | 95216a86e696977ff6cb5f6782ececbf642c817c4cbffae0d7b1143fb04823b9bfcf2afff9862fe57aed8f3d659e12d1915711d398c89664be989543b1e28990 |
C:\Windows\System32\SearchIndexer.exe
| MD5 | dd65054ad8993a0f94adfc5ad4e97296 |
| SHA1 | 6ab2d307443a9b87dd60413d55c1bcd3b6e25a42 |
| SHA256 | 5b833e68d964f0ea5e3545ec0c2ddc66b3785c83b898d90d1c89af2d55f7bb8e |
| SHA512 | bd9a70dda8c87970cab8969311096080ce3d71019d2d9df97045c1bb4bebc7bf1b77e5aa0b9e9f3ce491da87dd7c5a230e1d1f872366eb1c3d88a4a0951abe44 |
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
| MD5 | 178a003832b7c460b174e899f6f9caf5 |
| SHA1 | 34b68ede2369f3fa855274f5f9363b7db7274fcf |
| SHA256 | eda0aeb4444694d9bde14638e91999bc018eba1a94fba57987c13de666ab4e2c |
| SHA512 | 7aed908d2bf2c9444e3fce66662832c3c22c6f10019c580dd36ec71c39179626761612fada37e5700f75facf5cae2c1d0cc05fc106653dc04c082c2b773e1e9c |
memory/2568-780-0x000000002E000000-0x000000002FE1E000-memory.dmp
memory/2656-784-0x0000000003D30000-0x0000000003DEA000-memory.dmp
memory/2428-900-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/2800-991-0x0000000140000000-0x00000001401ED000-memory.dmp
memory/2452-997-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/2360-1010-0x0000000140000000-0x000000014013C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 15:26
Reported
2024-06-12 15:29
Platform
win10v2004-20240611-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing SQL queries to confidential data stores. Observed in infostealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
Reads user/profile data of web browsers
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\WOW6432Node\Avira\Antivirus | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
Checks installed software on the system
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
Checks system information in the registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe |
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_909cfdcee4a03c11c7f5091092955f3a_magniber_revil.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4812 -ip 4812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 4412
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ncc.avast.com | udp |
| NL | 96.16.53.161:80 | ncc.avast.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.192:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | analytics.ff.avast.com | udp |
| US | 34.117.223.223:443 | analytics.ff.avast.com | tcp |
| US | 8.8.8.8:53 | 223.223.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.ccleaner.com | udp |
| US | 8.8.8.8:53 | ip-info.ff.avast.com | udp |
| US | 8.8.8.8:53 | shepherd.ff.avast.com | udp |
| US | 8.8.8.8:53 | ipm-provider.ff.avast.com | udp |
| BE | 104.90.25.36:443 | www.ccleaner.com | tcp |
| BE | 104.90.25.36:443 | www.ccleaner.com | tcp |
| US | 34.160.176.28:443 | shepherd.ff.avast.com | tcp |
| US | 34.149.149.62:443 | ip-info.ff.avast.com | tcp |
| US | 34.111.24.1:443 | ipm-provider.ff.avast.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 172.217.169.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 172.217.169.67:80 | o.pki.goog | tcp |
| GB | 172.217.169.67:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | download.ccleaner.com | udp |
| US | 8.8.8.8:53 | 28.176.160.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.149.149.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.25.90.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.24.111.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| NL | 104.80.229.38:443 | download.ccleaner.com | tcp |
| US | 8.8.8.8:53 | license-api.ccleaner.com | udp |
| BE | 104.90.25.36:443 | license-api.ccleaner.com | tcp |
| US | 8.8.8.8:53 | 38.229.80.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
Files
memory/4812-0-0x0000000002E60000-0x0000000002E61000-memory.dmp
memory/4812-1-0x0000000005290000-0x0000000005291000-memory.dmp
memory/4812-2-0x00000000052A0000-0x00000000052A1000-memory.dmp
memory/4812-3-0x00000000052B0000-0x00000000052B1000-memory.dmp
memory/4812-4-0x00000000052C0000-0x00000000052C1000-memory.dmp
memory/4812-5-0x00000000052D0000-0x00000000052D1000-memory.dmp
memory/4812-6-0x00000000052E0000-0x00000000052E1000-memory.dmp
memory/4812-7-0x00000000052F0000-0x00000000052F1000-memory.dmp
memory/4812-8-0x0000000000400000-0x0000000002742000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gcapi_17182060074812.dll
| MD5 | f637d5d3c3a60fddb5dd397556fe9b1d |
| SHA1 | 66f0c4f137870a9927400ea00facc00193ef21e3 |
| SHA256 | 641b843cb6ee7538ec267212694c9ef0616b9ac9ab14a0abd7cf020678d50b02 |
| SHA512 | e96984f2f9c6858e989f10fd8e71b09a8a640c9be2fb87ac1692d9bca7107d7a837f8fbdcc46c01a6107dd9020994c5a6f975b7e16434e9b2bf1c43b1f0d8b31 |
memory/4812-17-0x000000000C780000-0x000000000C790000-memory.dmp
memory/4812-23-0x000000000C8E0000-0x000000000C8F0000-memory.dmp
memory/4812-41-0x000000000D450000-0x000000000D458000-memory.dmp
memory/4812-43-0x000000000D2F0000-0x000000000D2F8000-memory.dmp
memory/4812-44-0x000000000D2E0000-0x000000000D2E1000-memory.dmp
memory/4812-46-0x000000000D2F0000-0x000000000D2F8000-memory.dmp
memory/4812-49-0x000000000D2E0000-0x000000000D2E8000-memory.dmp
memory/4812-52-0x000000000D2A0000-0x000000000D2A1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
| MD5 | 9535bbfcfd2a6eaf1c9523cb3eb3d9ac |
| SHA1 | e81080957ca709b3a2b000d86c908861d75c00a9 |
| SHA256 | bb964f2530acab357dc47d3fadfa93e6f29a1a3779cae4d961c1adc3da17f3e2 |
| SHA512 | 03aae1900e83d7c7db30a6c152c21a9664d7142d8c9a2cef0124f68a59ca2777390535813710971ec50b2b0f06f76a961fc1a73c0a68338fef94dff6e7efa37b |
memory/4812-64-0x000000000D390000-0x000000000D398000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
| MD5 | 23defed2ca8e26a7c52dcb769f3f4094 |
| SHA1 | afe1a902befbd3f37e91962cf8e30a74df6531c8 |
| SHA256 | 49adce17ef4ba9c6fc2f8b5c1d86d7a159652005c49bc514836a15c7e4bae5fa |
| SHA512 | 93543fd5be33b3b08fb3fcf61f69c55ce51fac5f688850c653c9d669e6ab4bcdc7b18b04a11689d272c8c472200bb5f5c05a7eadaed13b116c24fce2478e47c0 |
memory/4812-73-0x000000000D2A0000-0x000000000D2A1000-memory.dmp
memory/4812-69-0x000000000D2E0000-0x000000000D2E1000-memory.dmp
memory/4812-66-0x000000000D3D0000-0x000000000D3D8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
| MD5 | 4d3b06c8e4d8c2f7cec3f7a1921a903e |
| SHA1 | 7e9d60ff8e05e00929426aab28f4c7e7145dcd8b |
| SHA256 | 94ef4c61c9fd68fdacc5c5b1c24fa476a9c400cc4343cb8fa5b5d15d4e1b6cf6 |
| SHA512 | 74ccd64cda9a3cf9a4ae3851fbfb9440d22698f09c03077f65073f55f56f5220b939cf6b52dc4a9bed9c58d7d18facd9409017d98c05f5fa59894f222305c660 |
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-us\default.dic
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/4812-177-0x0000000000400000-0x0000000002742000-memory.dmp