magniber | dfa32d8ed7c429b020c0581148a55bc752c35834d7a2b1bae886f2b436285c94

General

Target

SYSTEM.Critical.Upgrade.Win10.0.ba45bd8ee89b1.js
Size

217KB
MD5

0fd4c12239b945723e6c622d48f07979
SHA1

22cbc2c26832c8c3dd4be9c7fe6bbe94dbfbcdb2
SHA256

dfa32d8ed7c429b020c0581148a55bc752c35834d7a2b1bae886f2b436285c94
SHA512

a37affd28bc088ff6a27ac22e69e2479c2b4eeb015fd8d284097ce174f2ca6af87719b205d0e9fb5e6b3bfcf4bfb7fd21f64956eb173adfe854b3dc10db3c40b
SSDEEP

1536:t0AGu7QKLA6Yw14Gl1SSHwb5Wo3ayPu8Iow7of50bgd0BwNH2UB7zyigICK5iu/d:6Tmp25gfWPV

Score

10^/10

magniber evasion ransomware

Malware Config

Signatures

Detect magniber ransomware 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2124-136-0x0000024B42222000-0x0000024B4222D000-memory.dmp	family_magniber
behavioral2/memory/2348-137-0x00000152B21A0000-0x00000152B21AA000-memory.dmp	family_magniber
behavioral2/memory/2124-149-0x0000024B42222000-0x0000024B4222D000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

bcdedit.exebcdedit.exewbadmin.exewbadmin.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	828	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	828	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	828	wbadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3824	828	wbadmin.exe

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2428 bcdedit.exe
4964 bcdedit.exe
Deletes System State backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

3824 wbadmin.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2612 wbadmin.exe

pid	process
2428	bcdedit.exe
4964	bcdedit.exe

pid	process
3824	wbadmin.exe

pid	process
2612	wbadmin.exe

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svchost.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\EditSearch.crw => C:\Users\Admin\Pictures\EditSearch.crw.ibopxiji	svchost.exe
File renamed	C:\Users\Admin\Pictures\GrantExpand.raw => C:\Users\Admin\Pictures\GrantExpand.raw.ibopxiji	svchost.exe
File renamed	C:\Users\Admin\Pictures\RegisterRename.raw => C:\Users\Admin\Pictures\RegisterRename.raw.ibopxiji	svchost.exe
File renamed	C:\Users\Admin\Pictures\UpdateAssert.crw => C:\Users\Admin\Pictures\UpdateAssert.crw.ibopxiji	svchost.exe
File renamed	C:\Users\Admin\Pictures\StartGrant.tif => C:\Users\Admin\Pictures\StartGrant.tif.ibopxiji	svchost.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1560 3284 WerFault.exe DllHost.exe

pid	pid_target	process	target process
1560	3284	WerFault.exe	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Modifies registry class 42 IoCs

Processes:

taskhostw.exeRuntimeBroker.exesvchost.exesihost.exesvchost.exeExplorer.EXERuntimeBroker.exeRuntimeBroker.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/gbjpnfxgvkzo.tex"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/jizmyj.tex"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/npzkzph.tex"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/obivru.tex"	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/cakgyhvwp.tex"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/pvwulprt.tex"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/hvlqyqwch.tex"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/hibrapux.tex"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

wscript.exe

pid process

2124 wscript.exe
2124 wscript.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3032 Explorer.EXE

pid	process
2124	wscript.exe
2124	wscript.exe

pid	process
3032	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

RuntimeBroker.exeExplorer.EXEvssvc.exewbengine.exe

description	pid	process
Token: SeShutdownPrivilege	3436	RuntimeBroker.exe
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3436	RuntimeBroker.exe
Token: SeShutdownPrivilege	3436	RuntimeBroker.exe
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeBackupPrivilege	1768	vssvc.exe
Token: SeRestorePrivilege	1768	vssvc.exe
Token: SeAuditPrivilege	1768	vssvc.exe
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeBackupPrivilege	2232	wbengine.exe
Token: SeRestorePrivilege	2232	wbengine.exe
Token: SeSecurityPrivilege	2232	wbengine.exe
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

wscript.execmd.exefodhelper.exe

description	pid	process	target process
PID 2124 wrote to memory of 2348	2124	wscript.exe	sihost.exe
PID 2124 wrote to memory of 2392	2124	wscript.exe	svchost.exe
PID 2124 wrote to memory of 2480	2124	wscript.exe	taskhostw.exe
PID 2124 wrote to memory of 3032	2124	wscript.exe	Explorer.EXE
PID 2124 wrote to memory of 2688	2124	wscript.exe	svchost.exe
PID 2124 wrote to memory of 3284	2124	wscript.exe	DllHost.exe
PID 2124 wrote to memory of 3372	2124	wscript.exe	StartMenuExperienceHost.exe
PID 2124 wrote to memory of 3436	2124	wscript.exe	RuntimeBroker.exe
PID 2124 wrote to memory of 3520	2124	wscript.exe	SearchApp.exe
PID 2124 wrote to memory of 3736	2124	wscript.exe	RuntimeBroker.exe
PID 2124 wrote to memory of 4700	2124	wscript.exe	RuntimeBroker.exe
PID 4568 wrote to memory of 4484	4568	cmd.exe	fodhelper.exe
PID 4568 wrote to memory of 4484	4568	cmd.exe	fodhelper.exe
PID 4484 wrote to memory of 4912	4484	fodhelper.exe	wscript.exe
PID 4484 wrote to memory of 4912	4484	fodhelper.exe	wscript.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
PID:2348

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
PID:2480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Modifies registry class
PID:2392

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3372

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3284
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3284 -s 404
  2⤵
  - Program crash
  PID:1560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Modifies extensions of user files
- Modifies registry class
PID:2688
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4484
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/cakgyhvwp.tex
      4⤵
      PID:4912

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3032
- C:\Windows\system32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Local\Temp\SYSTEM.Critical.Upgrade.Win10.0.ba45bd8ee89b1.js
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2124

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4700

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3736

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3520

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 3284 -ip 3284
1⤵
PID:4628

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:2428

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:4964

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:2612

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:3824

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2928

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:2164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

2

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\cakgyhvwp.tex

Filesize
869B

MD5
b36267cac60eabc0d2df92f48e50290a

SHA1
e61d05db92f8d41f64fe9c615cdc0bd7bd8cc55d

SHA256
160042070c4e8cb3bd76f1d36841d8967534ea2311ac062ab82e17a90c29cdfd

SHA512
e366e4ccc6bbc004cca3ac612eefc1097bc164a7ac205a45abba71a551579b4c944311ef7206f443d4edf3217f280dbeaa9aaba7ab1b3a32d784e34fa043ef5b

Download Submit
memory/2124-132-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/2124-133-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/2124-134-0x0000024B5B8D0000-0x0000024B5BA4E000-memory.dmp

Filesize
1.5MB

Download
memory/2124-135-0x0000024B5BF80000-0x0000024B5C4A8000-memory.dmp

Filesize
5.2MB

Download
memory/2124-136-0x0000024B42222000-0x0000024B4222D000-memory.dmp

Filesize
44KB

Download
memory/2124-148-0x00007FFF78560000-0x00007FFF79021000-memory.dmp

Filesize
10.8MB

Download
memory/2124-149-0x0000024B42222000-0x0000024B4222D000-memory.dmp

Filesize
44KB

Download
memory/2348-137-0x00000152B21A0000-0x00000152B21AA000-memory.dmp

Filesize
40KB

Download
memory/4484-150-0x0000000000000000-mapping.dmp

Download
memory/4912-151-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads