948a99a872a34e0d7456de1a4f268b24d82e33ee7e41991b6cb03fdae8242e3a

Analysis

max time kernel
161s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
Size

1.6MB
MD5

78f3a1793ce06093cbba5023d29e650e
SHA1

c4d5739de577f3d4715d3f0ff9eda8b8e69f63f8
SHA256

948a99a872a34e0d7456de1a4f268b24d82e33ee7e41991b6cb03fdae8242e3a
SHA512

ed67a96a9eb2bdf62b1ec6d796aa1f2350fc9c73b8c318f6d21e5b63d60bf4f94364a3b345b1667f3c78bedd48eb8c0192984d1b40bf07f40160b69a5f94c0c6
SSDEEP

24576:xPHeMy8QQGeQrRUm7KAd6JtFMGFWwH5iksXSGBwKMDHreO9w7chAdaD38VvhYPjs:tbhSnKAwCWjZmXtgBwpi3Fj5Ngb9

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2896	alg.exe
4596	DiagnosticsHub.StandardCollector.Service.exe
1624	fxssvc.exe
4536	elevation_service.exe
1312	elevation_service.exe
3540	maintenanceservice.exe
3472	msdtc.exe
2880	OSE.EXE
4076	PerceptionSimulationService.exe
1564	perfhost.exe
4708	locator.exe
1120	SensorDataService.exe
4588	snmptrap.exe
3980	spectrum.exe
5028	ssh-agent.exe
4484	TieringEngineService.exe
4140	AgentService.exe
3588	vds.exe
4780	vssvc.exe
3080	wbengine.exe
3972	WmiApSrv.exe
5040	SearchIndexer.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\28b63836b3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f2689f37088bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c65d9738088bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
680	Process not Found
680	Process not Found

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4968	2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
Token: SeAuditPrivilege	1624	fxssvc.exe
Token: SeRestorePrivilege	4484	TieringEngineService.exe
Token: SeManageVolumePrivilege	4484	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4140	AgentService.exe
Token: SeBackupPrivilege	4780	vssvc.exe
Token: SeRestorePrivilege	4780	vssvc.exe
Token: SeAuditPrivilege	4780	vssvc.exe
Token: SeBackupPrivilege	3080	wbengine.exe
Token: SeRestorePrivilege	3080	wbengine.exe
Token: SeSecurityPrivilege	3080	wbengine.exe
Token: 33	5040	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 3508	5040	SearchIndexer.exe	127
PID 5040 wrote to memory of 3508	5040	SearchIndexer.exe	127
PID 5040 wrote to memory of 5148	5040	SearchIndexer.exe	129
PID 5040 wrote to memory of 5148	5040	SearchIndexer.exe	129

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_78f3a1793ce06093cbba5023d29e650e_magniber.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2896

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3776

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4536

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1312

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3540

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3472

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2880

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4076

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2660 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:1324

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4708

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1120

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4588

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3980

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5028

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1476

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3588

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3080

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3972

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3508
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  PID:5148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
b3f6af610d32087e17c1816c015ec91c

SHA1
9d986aa5b7cfbac173316c2bd5eb964e3ba3f381

SHA256
8f6310be2902e676a49a7ca7b78b6d69bc86841d053c9ad352b12f86a2925aa8

SHA512
083ab9e47b446a2b1b8c876221ee678bada5ed7b50479383ea6957e461af396cca252af42c81f53ee5bc69ee65b1a8e7c1e3c952c65c597bd66bd03dc0cca97b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
88d183f36c4fe473beee6961f2b518f6

SHA1
691aa9cb49037383e6e79b7e793ebe2c437aeba3

SHA256
c32b9f32327af3463521b4d8f83d6988f8ae3d645d6534e79b591941ab9c1dfb

SHA512
14ebf125420555990012b087371086aea59a28f78e374463722e4fb9f3a730acd22251b3748ee0e8f63d7636247a928f4bb1176032924e18146abd8cfda892bf

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
4b9ad18a3c7224f803f6b526776ba65d

SHA1
1c9ac101f8ae04705bdbdb810390d80a17936f2f

SHA256
8df5369777a9549342babb85f4ce82c116d9056581e83d48f68550775af29b7f

SHA512
84663871965e4ff195b3d3ca1bd587577e4d77d3f13698412a8bbc8e10bc68fcad4ce2c2e8e15845ccffd32b45044f6d912795691917faa0bb5ab8b5197d513c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
91edb100452d263e91ab57ebffc7b30b

SHA1
9ed12e9ee82cee76f35d4d81e8bb174f73724362

SHA256
c2562e2f570075cc5f767e51f03b97d37cdb76491349bef71038e6267a9b17be

SHA512
6c79adb2f89d93d739f32cb9f413754d94abd317030a8c3be27162c3d1dd75ac92ceff2494b6ad6ba5f28e2a70af7d3dd2f2c7c06de386547cf8efa474ce263c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
ed90d070d53b24510ed25dbe07d3ac8d

SHA1
b8f17c1aca8a6bec41e816fde99c5049a812453f

SHA256
a7e0cac90c176f7d0f8ec7feaddee31ac403c85ec2251f56c11cbb83bc56b093

SHA512
d81ae7b76f311b0829c58fd09cfaea728987a02423a809ef98c8c23bd6dd6fb19d82249068754fc36a97b8737de3d4f1daaf869912f752c02923d29f486eddb0

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c620f3663067080f2b65bbdc67d83bf2

SHA1
6157406613ef201ba2bd789ac54cc23788d6bec1

SHA256
5532110881bab056d669decf758ba38560f53a8368c6d0cc5053c00ee581970f

SHA512
329fc6ccb1ab73f2363dc3fe9f8d838f22890255192cd4fcf57736f5a832bc8444bab3b89abc5ca80c50fab7b61c59cac8a09d2ec84285d76d60b82213d0d544

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.6MB

MD5
3bb2fb5b72ebb49bca52f9537a028234

SHA1
d59af26e3615a61799b2fb2609fd7cfa7ea70c17

SHA256
66d24e0b59714f9cbc224303c403b790f938eefe984ca1019aa14833f720d7b6

SHA512
39ec19316d1711bcad3e63bd5683c6261cc775c94c9c2ff809b2aa589b907d39bc2c546f9d0e451743b1b57a00ec85ce8b1da896255623a9df4cd296bd62fdab

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a2ea672198579af28e1a1d32a22e4d88

SHA1
717d929a50f05384ed7da35bbaf52327e0b3d351

SHA256
ed7d7340fcd9482c6fdf4ad3df9cf37f108e82f7e826e8aeb827487e80e1ac4c

SHA512
9799657128ffb99e52a401004b3a26aab4692b61709c8a0fc05682883154ffc59480b301710f6eb709ec0149548ddb45ebf99549480bfb6d21331a2c937c0acf

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
cddf5990bd1e2eeb65e3dbe2d157a54c

SHA1
57ebe7aae420b443e502f88fadf1e268263fd501

SHA256
0fff09280914b15c1b3c8f554382084058a1a2cbad89a2233915aa84464421af

SHA512
03ee238277df4364924d25cc7dbbd145fb981fc891aa1631be7e7a8f9b0eafdff02b7410b22d159722d1257c692b91e365ce1cfc0594d9029b83f9b64ba3c939

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.9MB

MD5
af2ae7da5340dfa2bb6d630353df4883

SHA1
728d709dd50ee328fba480b10879f59cec5f1fa1

SHA256
19671d3ae2ac475db0a18b0f36b1db2e4d8a48d303f1495beafd73e00def9687

SHA512
3b10207d86bb9a5f4162612737a77622f2f8311a4a50bfdc16b14ecca9bc2e2727665648cd436dbc39cf54cd91116d07cf888c5450bbcc5d433982acc86d991d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
5d9243f1698e752e59ff1faeb3fc8f79

SHA1
c14445d47d3bc8063c8e398b0f32e35beb8c4c73

SHA256
1d79535c53156940c5feab4d8c1623aa457fb4311030a55c052bb51c9ff51e4b

SHA512
b0c4f19d43e92cd1b8782c9b62f9455d9e4b48291ddb4912175bc368d2e627648a562427e9a5de9eed980aa9c5549fecb9747d02e00594478766c1bb62e4d656

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6e2567b8160b06511965d59834760a5d

SHA1
88743600900a276d7fc448e7956cef13a0f46f27

SHA256
fd614c363304288f266e2e467d14df8b8cff5fdaa84b6323f9b77639960ac27e

SHA512
85f39f7fadacf9d8ce8876dd7aa757070c48c5da32a924b81296648a8963220c5e44dd0c26811e67a59386a1798afc739dc93ccbbce6483b1134e384d6e4322a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3a721defb3183772773e4251a794d5ae

SHA1
67fb08c8bd58dd1fa8b609de56c42e0d504c35b7

SHA256
4661be4446291507810d26fc3d4320c4d14b752f90e35e328c14861991048f41

SHA512
a92014457d6a2961f01c167c038a982b83dea9012789b14d462d5d580873e5d1a6aca8291b7d2e0fc717b52178468291e95ec45f02e628fd65e4ac90ee43f7d5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
53a3a524a8eb6a0b76f3ddaefb37b0ab

SHA1
14fedbfa9637a075481df0fb0596f8cbb741c607

SHA256
323e8ba72a723319f77fda4cfc17cb440cefbf6342b09608fe24bfbb258a8e93

SHA512
149c8cae46992c34569fb1d51c29bec61182beb0261614da159ed4f3323626de60b88dca9cca3047a4f482337518786655e0b3f25965e8ae65aaa5e4ddcd8516

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
7d74a4083c7d9a1cb49905ef1272c7d5

SHA1
32d78c5cde05dcca60fd1d573b2d236e9ca7a08a

SHA256
e087cdda63b61461ca54a12ac41f48c96e0c140ab4a72a37cdb0f44822deb000

SHA512
9cdcb712f95b53f61debd12c0b356fef27c4c432ddfe29a030a27f99c0b7bb927ef7219b2b99ea6fea381df8c6020a1a778eb41aeedd49089fe4ca7b742d7bcc

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
1.2MB

MD5
6d1af20b1e16f0216271abf1bbed91f2

SHA1
2a521b1fe7dea24cd1a4438fc12328153b39f1a4

SHA256
e8d07aec6364e68dd52bc9fa2c8ab98b03600357192070333d00038b032465a4

SHA512
72a600fd6446ac63fc3d8ad6bcd0a5430c1b253633ca1d86674a6b265dc87c47d5d32a0c94c8cd8504a0a08afef974e268742903a4603111a3d664fdb6772989

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.6MB

MD5
2db0ea470a7d40480d308167c9303f20

SHA1
46120315ce6b2efd48489c85a139c3f0f24de82c

SHA256
faa50e2531644f6072641273a1f71d2f02abdce4d8986f20678a25979fc4c138

SHA512
341e274d18f2865f6d154ecb214f4a08475531b7c787ab1c2345793030b4a7a2c8095678aacad49c531fd435108fe62e77a2c35e6f2df23ffad0a8e80904c20b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
baadbaaf49ace8cd12270ce80224f24c

SHA1
4d8e482fc21ea33126709d57baa830b12e946a32

SHA256
5aa1c4519af800707fb774fb524e72efb517701a54d72473587aa205a76822f8

SHA512
8ab3098bdddfbea9ad4101a19e5eabdf312603e3e87a71f8eeb0045e3c68194b89798da235aeb2766481465dd744b4bd76aa01aa81b4e46b2823ec8afa83c987

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
350b921a0e325de1ec7709a71d18d0af

SHA1
5580da118e4694a2c4d56eee25150fbf75a1c835

SHA256
0735a95834be97b4e61643e0632695e173411cfbce5124cd752e8a54e781576b

SHA512
9b14e0211a24c92b1528a4c98c134a748d929626711838a2f33c15d2727cfdbff4babb206b4009a0bf9ebb782fcdc58f7123d5692bc984a21ff9bccc411e3b71

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8775edd4309a02682b0bef4e9e7d9f41

SHA1
588ef815802b686d81df9a106a66296fa8de66c3

SHA256
7049aef4bc5fc5027e36a872fc5b3efc32f660952462221a24c32adcdc5c3a3f

SHA512
32d09786a3327ba4516d76a42413ff3e6d3bd6608c4ce2eb99ff95948f9b1a3f8ace842ab8ce573b27fc8a4e51682b29164b14c5d9e76608e6e02edde9e0c8ae

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
3ffacecdd951beba25b87d90c43255d8

SHA1
0fa41a8c4ef60283273d7b0d8acbe986a99e6520

SHA256
8523ae6d26837c4c2d8574e8aa4565a05417b56b16c8bce990dd97ab21ffb985

SHA512
012d605886c49515830e2396f668d6aea6f630cb36044eeb5989081b42f70a2c96986465502aeaef431584f0ddb3e4c8ec407d0c8b344438870d1ad0706416e7

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
92eda872e6fb9fd3f4f2c1edf78a9fad

SHA1
04f3586fabf7b007346108dbe98ca23c30ed5164

SHA256
2fae36f772a8b04690843f407747d4c5c6176483725ce475c563838db15ad029

SHA512
a7c25887d8d325713d170da09c918ff8d5e16bdbf2a39a9d19a41d3015a3ec0a914ed174354b7702148035f95382880ed8ab9ca347fe0b7c8603c3972995f120

Download Submit
memory/1120-259-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/1120-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1120-158-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/1120-258-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1120-215-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1312-129-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1312-70-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/1312-64-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1312-63-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/1564-197-0x0000000000400000-0x000000000067C000-memory.dmp

Filesize
2.5MB

Download
memory/1564-133-0x0000000000400000-0x000000000067C000-memory.dmp

Filesize
2.5MB

Download
memory/1624-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1624-47-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/1624-45-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/1624-39-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/1624-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2880-114-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2880-106-0x0000000140000000-0x00000001402B4000-memory.dmp

Filesize
2.7MB

Download
memory/2880-171-0x0000000140000000-0x00000001402B4000-memory.dmp

Filesize
2.7MB

Download
memory/2896-19-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2896-13-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2896-12-0x0000000140000000-0x000000014028F000-memory.dmp

Filesize
2.6MB

Download
memory/2896-71-0x0000000140000000-0x000000014028F000-memory.dmp

Filesize
2.6MB

Download
memory/3080-272-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3080-262-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3080-342-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3472-91-0x0000000140000000-0x000000014029E000-memory.dmp

Filesize
2.6MB

Download
memory/3472-148-0x0000000140000000-0x000000014029E000-memory.dmp

Filesize
2.6MB

Download
memory/3472-92-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3472-99-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3540-76-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/3540-75-0x0000000140000000-0x00000001402AF000-memory.dmp

Filesize
2.7MB

Download
memory/3540-82-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/3540-87-0x0000000140000000-0x00000001402AF000-memory.dmp

Filesize
2.7MB

Download
memory/3540-85-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/3588-233-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3588-241-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3588-297-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3972-276-0x0000000140000000-0x00000001402AB000-memory.dmp

Filesize
2.7MB

Download
memory/3972-285-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3980-245-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3980-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3980-185-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4076-119-0x0000000140000000-0x0000000140290000-memory.dmp

Filesize
2.6MB

Download
memory/4076-130-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/4076-183-0x0000000140000000-0x0000000140290000-memory.dmp

Filesize
2.6MB

Download
memory/4140-225-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/4140-230-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/4140-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4140-229-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4484-204-0x0000000140000000-0x00000001402C7000-memory.dmp

Filesize
2.8MB

Download
memory/4484-211-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4484-275-0x0000000140000000-0x00000001402C7000-memory.dmp

Filesize
2.8MB

Download
memory/4536-52-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4536-113-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4536-53-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4536-59-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4588-172-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4588-232-0x0000000140000000-0x000000014027B000-memory.dmp

Filesize
2.5MB

Download
memory/4588-162-0x0000000140000000-0x000000014027B000-memory.dmp

Filesize
2.5MB

Download
memory/4596-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4596-90-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/4596-25-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/4596-33-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4708-144-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4708-136-0x0000000140000000-0x000000014027A000-memory.dmp

Filesize
2.5MB

Download
memory/4708-202-0x0000000140000000-0x000000014027A000-memory.dmp

Filesize
2.5MB

Download
memory/4780-255-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/4780-304-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4780-246-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4968-0-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/4968-37-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/4968-7-0x00000000023E0000-0x0000000002447000-memory.dmp

Filesize
412KB

Download
memory/4968-6-0x00000000023E0000-0x0000000002447000-memory.dmp

Filesize
412KB

Download
memory/4968-1-0x00000000023E0000-0x0000000002447000-memory.dmp

Filesize
412KB

Download
memory/5028-199-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/5028-263-0x0000000140000000-0x00000001402E7000-memory.dmp

Filesize
2.9MB

Download
memory/5028-189-0x0000000140000000-0x00000001402E7000-memory.dmp

Filesize
2.9MB

Download
memory/5040-289-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5040-299-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads