magniber | 5472bce876d0758fb1379260504b791a3b8c95b87fc365f5ce8c3a6424facd34

Analysis

max time kernel
148s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2022 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SYSTEM.Security.Database.Upgrade.Win10.0_1.jse
Size

192KB
MD5

b40966619d66f80774ebf817c3316acc
SHA1

cdc90f17b5a54005993a4db61ac60e0b905f8416
SHA256

5472bce876d0758fb1379260504b791a3b8c95b87fc365f5ce8c3a6424facd34
SHA512

a489b19a01b66807e3cc5af17abdc679e72d34139b47f5face96ac68cf183f5d790d24adb065db9327dd82cde24532c3e193a716a5212df310f90eb7e241b88e
SSDEEP

6144:9a6398SbpjPvtKLqAMFHEbbz5ek3/Auyn5Ia:xnvkwdizUk3/Auynqa

Score

10^/10

magniber evasion ransomware

Malware Config

Signatures

Detect magniber ransomware 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4460-134-0x0000027D00000000-0x0000027D01000000-memory.dmp	family_magniber
behavioral2/memory/2528-135-0x000002B397590000-0x000002B39759B000-memory.dmp	family_magniber
behavioral2/memory/4460-147-0x0000027D00000000-0x0000027D01000000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

bcdedit.exebcdedit.exewbadmin.exewbadmin.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	4408	bcdedit.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	4408	bcdedit.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	4408	wbadmin.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	4408	wbadmin.exe	98

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exe

pid	Process
1652	bcdedit.exe
1788	bcdedit.exe

Deletes System State backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

wbadmin.exe

pid	Process
2612	wbadmin.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

wbadmin.exe

pid	Process
8	wbadmin.exe

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

sihost.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\PushWait.png => C:\Users\Admin\Pictures\PushWait.png.fhbrfuj	sihost.exe
File renamed	C:\Users\Admin\Pictures\StartRestore.png => C:\Users\Admin\Pictures\StartRestore.png.fhbrfuj	sihost.exe
File renamed	C:\Users\Admin\Pictures\SwitchConfirm.png => C:\Users\Admin\Pictures\SwitchConfirm.png.fhbrfuj	sihost.exe
File opened for modification	C:\Users\Admin\Pictures\SyncSuspend.tiff	sihost.exe
File renamed	C:\Users\Admin\Pictures\SyncSuspend.tiff => C:\Users\Admin\Pictures\SyncSuspend.tiff.fhbrfuj	sihost.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
1092	3304	WerFault.exe	39

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Modifies registry class 42 IoCs

Processes:

taskhostw.exeRuntimeBroker.exesvchost.exeRuntimeBroker.exeExplorer.EXEsihost.exesvchost.exeRuntimeBroker.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/mawnvixhoycw.wmv"	sihost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/ldykztgwayfr.wmv"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/qyrhymatllao.wmv"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/mfbtkxi.wmv"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/pgpepblqb.wmv"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/apoywn.wmv"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/ghwhrgnjsjvc.wmv"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/athykapdoev.wmv"	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

WScript.exe

pid	Process
4460	WScript.exe
4460	WScript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid	Process
2804	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

Explorer.EXERuntimeBroker.exevssvc.exewbengine.exe

description	pid	Process
Token: SeShutdownPrivilege	2804	Explorer.EXE
Token: SeCreatePagefilePrivilege	2804	Explorer.EXE
Token: SeShutdownPrivilege	3464	RuntimeBroker.exe
Token: SeShutdownPrivilege	3464	RuntimeBroker.exe
Token: SeShutdownPrivilege	3464	RuntimeBroker.exe
Token: SeShutdownPrivilege	2804	Explorer.EXE
Token: SeCreatePagefilePrivilege	2804	Explorer.EXE
Token: SeBackupPrivilege	1168	vssvc.exe
Token: SeRestorePrivilege	1168	vssvc.exe
Token: SeAuditPrivilege	1168	vssvc.exe
Token: SeShutdownPrivilege	2804	Explorer.EXE
Token: SeCreatePagefilePrivilege	2804	Explorer.EXE
Token: SeShutdownPrivilege	2804	Explorer.EXE
Token: SeCreatePagefilePrivilege	2804	Explorer.EXE
Token: SeShutdownPrivilege	2804	Explorer.EXE
Token: SeCreatePagefilePrivilege	2804	Explorer.EXE
Token: SeShutdownPrivilege	2804	Explorer.EXE
Token: SeCreatePagefilePrivilege	2804	Explorer.EXE
Token: SeShutdownPrivilege	2804	Explorer.EXE
Token: SeCreatePagefilePrivilege	2804	Explorer.EXE
Token: SeBackupPrivilege	4904	wbengine.exe
Token: SeRestorePrivilege	4904	wbengine.exe
Token: SeSecurityPrivilege	4904	wbengine.exe
Token: SeShutdownPrivilege	2804	Explorer.EXE
Token: SeCreatePagefilePrivilege	2804	Explorer.EXE
Token: SeShutdownPrivilege	2804	Explorer.EXE
Token: SeCreatePagefilePrivilege	2804	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

WScript.execmd.exefodhelper.execmd.exefodhelper.exe

description	pid	Process	procid_target
PID 4460 wrote to memory of 2528	4460	WScript.exe	51
PID 4460 wrote to memory of 2560	4460	WScript.exe	49
PID 4460 wrote to memory of 2812	4460	WScript.exe	42
PID 4460 wrote to memory of 2804	4460	WScript.exe	41
PID 4460 wrote to memory of 3092	4460	WScript.exe	40
PID 4460 wrote to memory of 3304	4460	WScript.exe	39
PID 4460 wrote to memory of 3392	4460	WScript.exe	38
PID 4460 wrote to memory of 3464	4460	WScript.exe	15
PID 4460 wrote to memory of 3556	4460	WScript.exe	37
PID 4460 wrote to memory of 3808	4460	WScript.exe	16
PID 4460 wrote to memory of 4684	4460	WScript.exe	34
PID 3764 wrote to memory of 4160	3764	cmd.exe	95
PID 3764 wrote to memory of 4160	3764	cmd.exe	95
PID 4160 wrote to memory of 3416	4160	fodhelper.exe	97
PID 4160 wrote to memory of 3416	4160	fodhelper.exe	97
PID 4784 wrote to memory of 836	4784	cmd.exe	115
PID 4784 wrote to memory of 836	4784	cmd.exe	115
PID 836 wrote to memory of 2780	836	fodhelper.exe	117
PID 836 wrote to memory of 2780	836	fodhelper.exe	117

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3808

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4684

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3556

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3392

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3304
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3304 -s 744
  2⤵
  - Program crash
  PID:1092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Modifies registry class
PID:3092
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3764
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4160
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/mfbtkxi.wmv
      4⤵
      PID:3416

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2804
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\SYSTEM.Security.Database.Upgrade.Win10.0_1.jse"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4460

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
PID:2812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Modifies registry class
PID:2560
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/pgpepblqb.wmv
      4⤵
      PID:2780

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies extensions of user files
- Modifies registry class
PID:2528

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 3304 -ip 3304
1⤵
PID:1784

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:1652

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:1788

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:8

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:2612

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3580

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:2416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\mfbtkxi.wmv

Filesize
868B

MD5
581973cdfb4720018293584fa82b6973

SHA1
a280dec72dff08d9448d866e6e3011241c5794bc

SHA256
1972fe56babf7575426b0690a118c342ef8cff2e463b16a8cf3071c3229d510b

SHA512
6e115f41e19dc2e90d8800fb3089f4b83d048c41c25e994b8c23c409bb30eede25bf208d61315574253002a287abef3dd876c9673d6ff928a70f46608ab8fd80

Download Submit
memory/836-152-0x0000000000000000-mapping.dmp

Download
memory/2528-135-0x000002B397590000-0x000002B39759B000-memory.dmp

Filesize
44KB

Download
memory/2780-153-0x0000000000000000-mapping.dmp

Download
memory/3416-150-0x0000000000000000-mapping.dmp

Download
memory/4160-149-0x0000000000000000-mapping.dmp

Download
memory/4460-132-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp

Filesize
10.8MB

Download
memory/4460-134-0x0000027D00000000-0x0000027D01000000-memory.dmp

Filesize
16.0MB

Download
memory/4460-145-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp

Filesize
10.8MB

Download
memory/4460-147-0x0000027D00000000-0x0000027D01000000-memory.dmp

Filesize
16.0MB

Download
memory/4460-148-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp

Filesize
10.8MB

Download