Malware Analysis Report

2024-11-30 13:04

Sample ID 240620-g9dkbatfja
Target 2024-06-20_58cb516f3705373677afc78955cbccc8_magniber
SHA256 72eb0f467620adb2baf75a86c887b926f18507ec5fdaf577520a301def2dc661
Tags
pyinstaller bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

72eb0f467620adb2baf75a86c887b926f18507ec5fdaf577520a301def2dc661

Threat Level: Shows suspicious behavior

The file 2024-06-20_58cb516f3705373677afc78955cbccc8_magniber was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller bootkit persistence

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Writes to the Master Boot Record (MBR)

Enumerates connected drives

Drops file in System32 directory

Suspicious use of NtCreateThreadExHideFromDebugger

Enumerates physical storage devices

Detects Pyinstaller

Unsigned PE

Suspicious behavior: MapViewOfSection

Suspicious use of UnmapMainImage

Modifies registry class

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Gathers network information

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 06:29

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 06:29

Reported

2024-06-20 06:32

Platform

win7-20240611-en

Max time kernel

70s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A

Enumerates physical storage devices

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81 C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2748 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2748 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2748 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2072 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe
PID 2072 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe
PID 2072 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe
PID 2072 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe
PID 332 wrote to memory of 2416 N/A N/A C:\Windows\system32\wbem\WMIADAP.EXE
PID 332 wrote to memory of 2416 N/A N/A C:\Windows\system32\wbem\WMIADAP.EXE
PID 864 wrote to memory of 2416 N/A N/A C:\Windows\system32\wbem\WMIADAP.EXE
PID 864 wrote to memory of 2416 N/A N/A C:\Windows\system32\wbem\WMIADAP.EXE
PID 864 wrote to memory of 2416 N/A N/A C:\Windows\system32\wbem\WMIADAP.EXE
PID 332 wrote to memory of 1956 N/A N/A C:\Windows\system32\wbem\wmiprvse.exe
PID 332 wrote to memory of 1956 N/A N/A C:\Windows\system32\wbem\wmiprvse.exe
PID 596 wrote to memory of 1956 N/A N/A C:\Windows\system32\wbem\wmiprvse.exe
PID 596 wrote to memory of 1956 N/A N/A C:\Windows\system32\wbem\wmiprvse.exe
PID 596 wrote to memory of 1956 N/A N/A C:\Windows\system32\wbem\wmiprvse.exe
PID 376 wrote to memory of 2072 N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe
PID 476 wrote to memory of 2072 N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe
PID 476 wrote to memory of 2072 N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe
PID 476 wrote to memory of 2072 N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe
PID 476 wrote to memory of 2072 N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe
PID 476 wrote to memory of 2072 N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe
PID 476 wrote to memory of 2072 N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe
PID 476 wrote to memory of 2072 N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe
PID 476 wrote to memory of 2072 N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe
PID 476 wrote to memory of 2072 N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ipconfig /displaydns

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /displaydns

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c type C:\Windows\system32\drivers\etc\hosts

C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe

"C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe" dziss

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

Network

Files

memory/2072-0-0x00000000003D0000-0x00000000003D1000-memory.dmp

\Users\Admin\AppData\Local\Temp\Systrace64.exe

MD5 2654c83d4c96705a057965cf8f24dc67
SHA1 88a9996f42d06fe647c68c55e8767cb36331508f
SHA256 3f6ebfad24e49af1f43876f03047ad82c2c1b284dbfe388d19fe3a5f27b64b6c
SHA512 2d934c20dfa4b9e57c1954c03f527709e1f9755d8437be08b153ff8b7c00e1e2823ec24f889234f63a7d03531a94635d7b0a56d0c1fcf9bc529cc16308fa9446

memory/2072-41-0x0000000000400000-0x0000000001F4D000-memory.dmp

memory/2476-43-0x0000000000400000-0x00000000006FC000-memory.dmp

memory/2072-66-0x0000000000400000-0x0000000001F4D000-memory.dmp

memory/2072-67-0x00000000003D0000-0x00000000003D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\result\processinfo64.info

MD5 ad9fef6f90f8492b336e01ff48e535e7
SHA1 881f3ef291fdebbb4b8bb045ed97e6d1c45ed790
SHA256 42f3e02156148f6efe2daad00715dd07afc95a5db87458dda7a3256a0576f6a2
SHA512 f5a64b832fc707d09253a903e74ed9a70194aeeef3e8c7067e761f738e099b709591103e63a659e5dcb57ebd6d1b68478ddc470472e9e38cac16d5b32b616201

memory/2072-408-0x0000000000400000-0x0000000001F4D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabEB1C.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarEB5D.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2072-500-0x0000000000400000-0x0000000001F4D000-memory.dmp

memory/2072-501-0x0000000000400000-0x0000000001F4D000-memory.dmp

memory/2072-503-0x0000000000400000-0x0000000001F4D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\result\dllinfo64.info

MD5 a14f7308e8b69df39deb2bde66cc8ff5
SHA1 8f2e6b1d90eb770f29fec7aebac37405321b65a2
SHA256 86956ab4706681e66f6065112d16822a5623d063d5ddcfc5656416b71b20506e
SHA512 1d9edc5bd325fc51c5a7bfca54867429cbe74e79d7dca1842520340ae14af1d93fa567510a47b963c4d1fd79b74119b32555f3b5c594b9493ab99f1ed9ff4c9c

memory/2072-505-0x0000000000400000-0x0000000001F4D000-memory.dmp

memory/2072-506-0x0000000000400000-0x0000000001F4D000-memory.dmp

C:\Windows\System32\catroot2\dberr.txt

MD5 4aa4b91bb06df5cdb1f3cda07da7a3f2
SHA1 72a17b3a4de55db7a80079cc63f8b452ef239a71
SHA256 309ecbf1afef95d96705e037e7920539a67caf5c30391a07a8394851211d6c39
SHA512 f364c58ac699a433c327aa612ce9f3288a6a96eb84fb55e4954bb016567fc2779bd27fb056b221e1cd05c0e7485a1f0639fd803b62d163180c0318a75cfd0be9

memory/2072-562-0x0000000000400000-0x0000000001F4D000-memory.dmp

\Users\Admin\AppData\Local\Temp\FileSystemAnalyzer.dll

MD5 424d0ea97657a9ee7b491b7e0d8eb5c3
SHA1 145080a159126aec18539fc48006f4712165f594
SHA256 1288ca29e3d0cd2f0a8ed53a1184ef910d9cc701bff936ca65ff12accbd88651
SHA512 7bd05e1870c6d8076793a0927a24aca988dcf79bb2b0c2db82c7fa14d276a8d4a59fd53d76c3373974a7d0de728f610529eff35b0ef026cbdac352585105dae6

\Users\Admin\AppData\Local\Temp\libesedb.dll

MD5 ee29f6fc2015f1b4fac55028263b6025
SHA1 7e31f0f5baa2d4393da6d6a23ba5b7fc9322c781
SHA256 d8df40334173b6623028b0a8155a609660fbb0dba2fd5ed0038b1fe292f3ed04
SHA512 81fdc3ac884818ad35f29ae9f1032215d2cda4ea53371cb081219f7cf458801d462a3b8bc6e00f251f8dc69050c0e9e76d963b23565e64c8ce6bc38d1ac73614

memory/2072-706-0x0000000000400000-0x0000000001F4D000-memory.dmp

memory/2072-708-0x0000000008670000-0x0000000008C58000-memory.dmp

memory/2072-710-0x0000000008670000-0x0000000008C58000-memory.dmp

memory/2072-751-0x0000000000400000-0x0000000001F4D000-memory.dmp

memory/2072-753-0x0000000008670000-0x0000000008C58000-memory.dmp

memory/2072-752-0x0000000008670000-0x0000000008C58000-memory.dmp

memory/2072-755-0x0000000000400000-0x0000000001F4D000-memory.dmp

memory/2072-760-0x00000000080F0000-0x0000000008151000-memory.dmp

memory/2072-759-0x00000000080F0000-0x0000000008151000-memory.dmp

memory/2072-762-0x00000000080D0000-0x00000000080D8000-memory.dmp

memory/2072-761-0x00000000080D0000-0x00000000080D8000-memory.dmp

memory/2072-763-0x0000000008670000-0x0000000008C58000-memory.dmp

memory/2072-764-0x0000000008670000-0x0000000008C58000-memory.dmp

memory/2072-766-0x0000000008290000-0x00000000082B7000-memory.dmp

memory/2072-765-0x0000000008290000-0x00000000082B7000-memory.dmp

memory/2072-768-0x0000000009200000-0x00000000092C0000-memory.dmp

memory/2072-767-0x0000000009200000-0x00000000092C0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 74096e0f0b72c8cceecb81a6a885b03e
SHA1 ad2ddf13c2066442701060ea829c7d4bce91b9f4
SHA256 4f19fcf4b6701a7dd1edd627596388a69cb0a7eaa6423d8c9fc2ea2a5727fb1d
SHA512 daf734b18873bef3411eb45ada556e761de6b2890db0c8d125ba0b86199b26ef21ac70d5b5fe180b017c5fa9161c54b618755aade59715e27e0033f4234e4ed9

memory/2072-848-0x0000000000400000-0x0000000001F4D000-memory.dmp

memory/2072-850-0x00000000082C0000-0x00000000082C9000-memory.dmp

memory/2072-849-0x00000000082C0000-0x00000000082C9000-memory.dmp

memory/2072-853-0x0000000009200000-0x0000000009249000-memory.dmp

memory/2072-852-0x0000000009200000-0x0000000009249000-memory.dmp

memory/2072-851-0x0000000000400000-0x0000000001F4D000-memory.dmp

memory/2072-855-0x00000000080D0000-0x00000000080D8000-memory.dmp

memory/2072-854-0x00000000080D0000-0x00000000080D8000-memory.dmp

memory/2072-857-0x0000000008290000-0x00000000082B7000-memory.dmp

memory/2072-856-0x0000000008290000-0x00000000082B7000-memory.dmp

memory/2072-858-0x0000000009200000-0x00000000092C0000-memory.dmp

memory/2072-860-0x00000000082C0000-0x00000000082C9000-memory.dmp

memory/2072-859-0x00000000082C0000-0x00000000082C9000-memory.dmp

memory/2072-862-0x00000000082C0000-0x00000000082CA000-memory.dmp

memory/2072-861-0x00000000082C0000-0x00000000082CA000-memory.dmp

memory/2072-863-0x00000000082C0000-0x00000000082C9000-memory.dmp

memory/2072-865-0x00000000092A0000-0x00000000092AA000-memory.dmp

memory/2072-864-0x00000000092A0000-0x00000000092AA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 06:29

Reported

2024-06-20 06:32

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

122s

Command Line

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

Signatures

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\system32\wbem\wmiprvse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: N/A N/A
File opened (read-only) \??\O: N/A N/A
File opened (read-only) \??\P: N/A N/A
File opened (read-only) \??\T: N/A N/A
File opened (read-only) \??\U: N/A N/A
File opened (read-only) \??\W: N/A N/A
File opened (read-only) \??\E: N/A N/A
File opened (read-only) \??\G: N/A N/A
File opened (read-only) \??\Z: N/A N/A
File opened (read-only) \??\X: N/A N/A
File opened (read-only) \??\Y: N/A N/A
File opened (read-only) \??\K: N/A N/A
File opened (read-only) \??\V: N/A N/A
File opened (read-only) \??\N: N/A N/A
File opened (read-only) \??\S: N/A N/A
File opened (read-only) \??\B: N/A N/A
File opened (read-only) \??\J: N/A N/A
File opened (read-only) \??\I: N/A N/A
File opened (read-only) \??\M: N/A N/A
File opened (read-only) \??\Q: N/A N/A
File opened (read-only) \??\R: N/A N/A
File opened (read-only) \??\A: N/A N/A
File opened (read-only) \??\H: N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Windows\system32\wbem\wmiprvse.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" N/A N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs N/A N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates N/A N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" N/A N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates N/A N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" N/A N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs N/A N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs N/A N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs N/A N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople N/A N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common N/A N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates N/A N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs N/A N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed N/A N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates N/A N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople N/A N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs N/A N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust N/A N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections N/A N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA N/A N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates N/A N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs N/A N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" N/A N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs N/A N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs N/A N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe N/A N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata N/A N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" N/A N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018400E3FB4E05F" N/A N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections N/A N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates N/A N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot N/A N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" N/A N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" N/A N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root N/A N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates N/A N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs N/A N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates N/A N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe N/A N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs N/A N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates N/A N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust N/A N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA N/A N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs N/A N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed N/A N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 N/A N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs N/A N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133633386030513165" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133633386055849820" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU N/A N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c000000010000000400000000080000190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b816800000001000000000000007e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81 C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60168000000010000000000000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b816800000001000000000000007e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60168000000010000000000000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 212 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe C:\Windows\SysWOW64\cmd.exe
PID 212 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe C:\Windows\SysWOW64\cmd.exe
PID 212 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe C:\Windows\SysWOW64\cmd.exe
PID 1356 wrote to memory of 1416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1356 wrote to memory of 1416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1356 wrote to memory of 1416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 212 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe C:\Windows\SysWOW64\cmd.exe
PID 212 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe C:\Windows\SysWOW64\cmd.exe
PID 212 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe C:\Windows\SysWOW64\cmd.exe
PID 212 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe
PID 212 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe
PID 680 wrote to memory of 2880 N/A N/A C:\Windows\sysmon.exe
PID 680 wrote to memory of 2880 N/A N/A C:\Windows\sysmon.exe
PID 680 wrote to memory of 2880 N/A N/A C:\Windows\sysmon.exe
PID 680 wrote to memory of 3564 N/A N/A C:\Windows\System32\WaaSMedicAgent.exe
PID 680 wrote to memory of 3564 N/A N/A C:\Windows\System32\WaaSMedicAgent.exe
PID 680 wrote to memory of 3564 N/A N/A C:\Windows\System32\WaaSMedicAgent.exe
PID 680 wrote to memory of 3564 N/A N/A C:\Windows\System32\WaaSMedicAgent.exe
PID 680 wrote to memory of 3564 N/A N/A C:\Windows\System32\WaaSMedicAgent.exe
PID 680 wrote to memory of 3564 N/A N/A C:\Windows\System32\WaaSMedicAgent.exe
PID 680 wrote to memory of 3564 N/A N/A C:\Windows\System32\WaaSMedicAgent.exe
PID 680 wrote to memory of 3564 N/A N/A C:\Windows\System32\WaaSMedicAgent.exe
PID 680 wrote to memory of 3564 N/A N/A C:\Windows\System32\WaaSMedicAgent.exe
PID 680 wrote to memory of 3564 N/A N/A C:\Windows\System32\WaaSMedicAgent.exe
PID 680 wrote to memory of 3564 N/A N/A C:\Windows\System32\WaaSMedicAgent.exe
PID 680 wrote to memory of 2880 N/A N/A C:\Windows\sysmon.exe
PID 680 wrote to memory of 4204 N/A N/A C:\Windows\system32\wbem\wmiprvse.exe
PID 680 wrote to memory of 2360 N/A N/A C:\Windows\System32\svchost.exe
PID 680 wrote to memory of 212 N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe
PID 680 wrote to memory of 212 N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe
PID 680 wrote to memory of 212 N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe
PID 680 wrote to memory of 212 N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe
PID 680 wrote to memory of 212 N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe
PID 680 wrote to memory of 212 N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe
PID 680 wrote to memory of 212 N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe
PID 680 wrote to memory of 212 N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe
PID 680 wrote to memory of 212 N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe
PID 680 wrote to memory of 212 N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe
PID 680 wrote to memory of 2880 N/A N/A C:\Windows\sysmon.exe
PID 680 wrote to memory of 2880 N/A N/A C:\Windows\sysmon.exe

Processes

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-20_58cb516f3705373677afc78955cbccc8_magniber.exe"

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ipconfig /displaydns

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /displaydns

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c type C:\Windows\system32\drivers\etc\hosts

C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe

"C:\Users\Admin\AppData\Local\Temp\SysTrace64.exe" dziss

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe dfb8c2e0a2c67eeca550d5b59a42f2e2 248hp1znzUyiaMTx0XYZvw.0.1.0.0.0

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/212-0-0x0000000003CF0000-0x0000000003CF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Systrace64.exe

MD5 2654c83d4c96705a057965cf8f24dc67
SHA1 88a9996f42d06fe647c68c55e8767cb36331508f
SHA256 3f6ebfad24e49af1f43876f03047ad82c2c1b284dbfe388d19fe3a5f27b64b6c
SHA512 2d934c20dfa4b9e57c1954c03f527709e1f9755d8437be08b153ff8b7c00e1e2823ec24f889234f63a7d03531a94635d7b0a56d0c1fcf9bc529cc16308fa9446

memory/1740-47-0x0000000000400000-0x00000000006FC000-memory.dmp

memory/212-49-0x0000000003CF0000-0x0000000003CF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\result\processinfo64.info

MD5 132d6c03c2b5666fe1e6a8f3f1961b65
SHA1 56eafb28575dc6ed4345f8573fecdb7634ee0b28
SHA256 07f5936a5c927c0b85f6e56e21866cb5023bb0849bb956ec69df96b30544f2cd
SHA512 cede129085662f3464f07f328fe22352d87d1c4f596dfd2b017b3338206199062549d209c9766164a2daa39c3700c071a63795d81f8675d8571bb8c9c96c4871

C:\Users\Admin\AppData\Local\Temp\result\dllinfo64.info

MD5 3f39f3bb7111643f0f11f9ff1c7ed0a1
SHA1 20c8322dada625e4812023c724e673d610aeb560
SHA256 0ed76060b4eba32a21b86cf3d2f129b86de24fc52bc73c214d803d72d907c3b5
SHA512 5dfd81b480e4271e9f0fa1bbabf669fe44de050175c3312cae1423b1ebb841b21e01290e1f5284183a010949efa82e4297e5362fd30e5bcdc30050a17fab3bf1