magniber | 6a68217b951f9655e4a7ed13fcfc4696ac5d231450fe7d2be8b6a1d71425752c

Analysis

max time kernel
148s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2022 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SYSTEM.Security.Database.Upgrade.Win10.0.jse
Size

185KB
MD5

f6d2fc78661b55258fb704f66c9949e4
SHA1

7c4608440e4afcb032890edd4deef18a0ce3c8dd
SHA256

6a68217b951f9655e4a7ed13fcfc4696ac5d231450fe7d2be8b6a1d71425752c
SHA512

9f66641f19e8046b19f7bffa056ec3e677aae853102dded94c22665381d0d2b65334c16c74d7b64df319b1518931d6ad281ad86c1fbc67ee6ba1984f67506dce
SSDEEP

3072:dthtQYzUz8giIajyEPeR00t/+DYhRkEIKf+6yr3S1IuIDbHBX66vPYH/J25gfgbD:z73zUz8gCjyUeihSRkCy3H36HxgbD

Score

10^/10

magniber evasion ransomware

Malware Config

Signatures

Detect magniber ransomware 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4984-133-0x000001C08059F000-0x000001C0805AA000-memory.dmp	family_magniber
behavioral1/memory/2808-134-0x000001A900BD0000-0x000001A900BDA000-memory.dmp	family_magniber
behavioral1/memory/4984-147-0x000001C08059F000-0x000001C0805AA000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

bcdedit.exebcdedit.exewbadmin.exewbadmin.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	528	bcdedit.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	528	bcdedit.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3476	528	wbadmin.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	528	wbadmin.exe	19

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exe

pid	Process
1556	bcdedit.exe
2816	bcdedit.exe

Deletes System State backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

wbadmin.exe

pid	Process
4980	wbadmin.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

wbadmin.exe

pid	Process
3476	wbadmin.exe

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Explorer.EXE

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\StepShow.tif => C:\Users\Admin\Pictures\StepShow.tif.kzyfukvrt	Explorer.EXE
File renamed	C:\Users\Admin\Pictures\TestRegister.png => C:\Users\Admin\Pictures\TestRegister.png.kzyfukvrt	Explorer.EXE
File renamed	C:\Users\Admin\Pictures\OptimizeReceive.crw => C:\Users\Admin\Pictures\OptimizeReceive.crw.kzyfukvrt	Explorer.EXE
File renamed	C:\Users\Admin\Pictures\PingMerge.raw => C:\Users\Admin\Pictures\PingMerge.raw.kzyfukvrt	Explorer.EXE
File renamed	C:\Users\Admin\Pictures\GetJoin.png => C:\Users\Admin\Pictures\GetJoin.png.kzyfukvrt	Explorer.EXE

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2988	3304	WerFault.exe	31

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe

Modifies registry class 37 IoCs

Processes:

RuntimeBroker.exeExplorer.EXEsihost.exesvchost.exesvchost.exetaskhostw.exeRuntimeBroker.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/isafotzi.gif"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/jzvixkbshv.gif"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/qievfsh.gif"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/whdnyiufnyit.gif"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/nkvlzboxbf.gif"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/jvkxiwgsaji.gif"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/atlrdscob.gif"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

WScript.exe

pid	Process
4984	WScript.exe
4984	WScript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid	Process
1124	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

Explorer.EXERuntimeBroker.exevssvc.exewbengine.exe

description	pid	Process
Token: SeShutdownPrivilege	1124	Explorer.EXE
Token: SeCreatePagefilePrivilege	1124	Explorer.EXE
Token: SeShutdownPrivilege	3464	RuntimeBroker.exe
Token: SeShutdownPrivilege	3464	RuntimeBroker.exe
Token: SeShutdownPrivilege	3464	RuntimeBroker.exe
Token: SeShutdownPrivilege	1124	Explorer.EXE
Token: SeCreatePagefilePrivilege	1124	Explorer.EXE
Token: SeShutdownPrivilege	1124	Explorer.EXE
Token: SeCreatePagefilePrivilege	1124	Explorer.EXE
Token: SeShutdownPrivilege	1124	Explorer.EXE
Token: SeCreatePagefilePrivilege	1124	Explorer.EXE
Token: SeBackupPrivilege	1716	vssvc.exe
Token: SeRestorePrivilege	1716	vssvc.exe
Token: SeAuditPrivilege	1716	vssvc.exe
Token: SeShutdownPrivilege	1124	Explorer.EXE
Token: SeCreatePagefilePrivilege	1124	Explorer.EXE
Token: SeShutdownPrivilege	1124	Explorer.EXE
Token: SeCreatePagefilePrivilege	1124	Explorer.EXE
Token: SeShutdownPrivilege	1124	Explorer.EXE
Token: SeCreatePagefilePrivilege	1124	Explorer.EXE
Token: SeShutdownPrivilege	1124	Explorer.EXE
Token: SeCreatePagefilePrivilege	1124	Explorer.EXE
Token: SeShutdownPrivilege	1124	Explorer.EXE
Token: SeCreatePagefilePrivilege	1124	Explorer.EXE
Token: SeBackupPrivilege	4068	wbengine.exe
Token: SeRestorePrivilege	4068	wbengine.exe
Token: SeSecurityPrivilege	4068	wbengine.exe
Token: SeShutdownPrivilege	1124	Explorer.EXE
Token: SeCreatePagefilePrivilege	1124	Explorer.EXE
Token: SeShutdownPrivilege	1124	Explorer.EXE
Token: SeCreatePagefilePrivilege	1124	Explorer.EXE
Token: SeShutdownPrivilege	1124	Explorer.EXE
Token: SeCreatePagefilePrivilege	1124	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

WScript.execmd.exefodhelper.execmd.exefodhelper.execmd.exefodhelper.exe

description	pid	Process	procid_target
PID 4984 wrote to memory of 2808	4984	WScript.exe	36
PID 4984 wrote to memory of 2844	4984	WScript.exe	35
PID 4984 wrote to memory of 2912	4984	WScript.exe	34
PID 4984 wrote to memory of 1124	4984	WScript.exe	33
PID 4984 wrote to memory of 3096	4984	WScript.exe	32
PID 4984 wrote to memory of 3304	4984	WScript.exe	31
PID 4984 wrote to memory of 3400	4984	WScript.exe	29
PID 4984 wrote to memory of 3464	4984	WScript.exe	7
PID 4984 wrote to memory of 3560	4984	WScript.exe	28
PID 4984 wrote to memory of 3764	4984	WScript.exe	27
PID 4984 wrote to memory of 4508	4984	WScript.exe	14
PID 2364 wrote to memory of 3648	2364	cmd.exe	93
PID 2364 wrote to memory of 3648	2364	cmd.exe	93
PID 3648 wrote to memory of 4608	3648	fodhelper.exe	95
PID 3648 wrote to memory of 4608	3648	fodhelper.exe	95
PID 1080 wrote to memory of 3204	1080	cmd.exe	112
PID 1080 wrote to memory of 3204	1080	cmd.exe	112
PID 3204 wrote to memory of 176	3204	fodhelper.exe	114
PID 3204 wrote to memory of 176	3204	fodhelper.exe	114
PID 2508 wrote to memory of 3332	2508	cmd.exe	117
PID 2508 wrote to memory of 3332	2508	cmd.exe	117
PID 3332 wrote to memory of 4388	3332	fodhelper.exe	118
PID 3332 wrote to memory of 4388	3332	fodhelper.exe	118

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:4508

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3764

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3560

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3400

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\SYSTEM.Security.Database.Upgrade.Win10.0.jse"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3304
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3304 -s 1004
  2⤵
  - Program crash
  PID:2988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Modifies registry class
PID:3096

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies extensions of user files
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1124
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3204
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/qievfsh.gif
      4⤵
      PID:176

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
PID:2912
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3648
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/jzvixkbshv.gif
      4⤵
      PID:4608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Modifies registry class
PID:2844

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
PID:2808
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3332
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/whdnyiufnyit.gif
      4⤵
      PID:4388

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 3304 -ip 3304
1⤵
PID:2508

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:1556

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:2816

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:3476

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:4980

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:5116

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:1808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\jzvixkbshv.gif

Filesize
853B

MD5
e1364886ae80ad259f572645fb45e98b

SHA1
132dc959681181e7ab6dd6909046f53c5e9f69ad

SHA256
000ae2cfe01b7e4c5b1e01ad1a4c0aa0b223f373a1fecf13b8d052d55f9401a5

SHA512
632735d26425c0efa2f6a172625173d0e7bbc2d0b589cf0cfb2a3872a298edac6627596792daf4b3199248bd4fb83ada21a25f738a01b492ed95d19aea40890b

Download Submit
memory/176-152-0x0000000000000000-mapping.dmp

Download
memory/2808-134-0x000001A900BD0000-0x000001A900BDA000-memory.dmp

Filesize
40KB

Download
memory/3204-151-0x0000000000000000-mapping.dmp

Download
memory/3332-153-0x0000000000000000-mapping.dmp

Download
memory/3648-148-0x0000000000000000-mapping.dmp

Download
memory/4388-154-0x0000000000000000-mapping.dmp

Download
memory/4608-149-0x0000000000000000-mapping.dmp

Download
memory/4984-132-0x00007FFE35E30000-0x00007FFE368F1000-memory.dmp

Filesize
10.8MB

Download
memory/4984-147-0x000001C08059F000-0x000001C0805AA000-memory.dmp

Filesize
44KB

Download
memory/4984-146-0x00007FFE35E30000-0x00007FFE368F1000-memory.dmp

Filesize
10.8MB

Download
memory/4984-142-0x00007FFE35E30000-0x00007FFE368F1000-memory.dmp

Filesize
10.8MB

Download
memory/4984-133-0x000001C08059F000-0x000001C0805AA000-memory.dmp

Filesize
44KB

Download