9473531e370d7a45e1ff2bd214c0365f07c78f6ce52ec35f141fbedf76c2ed1f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2024 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
Size

5.3MB
MD5

0271bf83ad3127f16367a7662f2247b4
SHA1

cc30247eb021648e11ae84b7afacfa476129b2ef
SHA256

9473531e370d7a45e1ff2bd214c0365f07c78f6ce52ec35f141fbedf76c2ed1f
SHA512

17419cd882d6a812a051993450136fb3c4d59d2b5854989efeaaf6e8eea0d285a4bd940f3c51f46ec4b5efa5417d748ca58f51ece77210d32448f63178968173
SSDEEP

98304:PkB/qoHMdnJE7hAlKnsz2C2PYdhIqHpnq0EB:bJEul4szEonqtB

Score

9^/10

discovery persistence ransomware spyware stealer

Malware Config

Signatures

Renames multiple (216) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Executes dropped EXE 1 IoCs

pid	Process
3492	Logo1_.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe"	Logo1_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe"	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE.Exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\RCX58B1.tmp	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\bin\java.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCX4CDD.tmp	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateCore.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.Exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe.Exe	Logo1_.exe
File created	C:\Program Files\7-Zip\7z.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_92812\java.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\RCX4A2C.tmp	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\YourPhone.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\RCX4D41.tmp	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\bin\javacpl.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\codecpacks.heif.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.Exe	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\bin\servertool.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\RCX580B.tmp	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe.Exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\uninstall\rundl132.exe	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
File created	C:\Windows\Logo1_.exe	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
File opened for modification	C:\Windows\uninstall\rundl132.exe	Logo1_.exe
File created	C:\Windows\RichDll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe
3492	Logo1_.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 2120	4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe	84
PID 4564 wrote to memory of 2120	4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe	84
PID 4564 wrote to memory of 2120	4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe	84
PID 2120 wrote to memory of 2984	2120	net.exe	86
PID 2120 wrote to memory of 2984	2120	net.exe	86
PID 2120 wrote to memory of 2984	2120	net.exe	86
PID 4564 wrote to memory of 2880	4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe	89
PID 4564 wrote to memory of 2880	4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe	89
PID 4564 wrote to memory of 2880	4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe	89
PID 4564 wrote to memory of 3492	4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe	90
PID 4564 wrote to memory of 3492	4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe	90
PID 4564 wrote to memory of 3492	4564	2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe	90
PID 3492 wrote to memory of 2320	3492	Logo1_.exe	92
PID 3492 wrote to memory of 2320	3492	Logo1_.exe	92
PID 3492 wrote to memory of 2320	3492	Logo1_.exe	92
PID 2320 wrote to memory of 4484	2320	net.exe	94
PID 2320 wrote to memory of 4484	2320	net.exe	94
PID 2320 wrote to memory of 4484	2320	net.exe	94
PID 3492 wrote to memory of 4824	3492	Logo1_.exe	95
PID 3492 wrote to memory of 4824	3492	Logo1_.exe	95
PID 3492 wrote to memory of 4824	3492	Logo1_.exe	95
PID 4824 wrote to memory of 2780	4824	net.exe	97
PID 4824 wrote to memory of 2780	4824	net.exe	97
PID 4824 wrote to memory of 2780	4824	net.exe	97
PID 3492 wrote to memory of 3540	3492	Logo1_.exe	56
PID 3492 wrote to memory of 3540	3492	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3540
- C:\Users\Admin\AppData\Local\Temp\2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe"
  2⤵
  - Drops file in Drivers directory
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBB9F.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2880
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3492
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2320
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4484
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4824
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\RCX57B9.tmp

Filesize
94KB

MD5
efd51ee79a74d16a34a8a345d0858840

SHA1
10852222d1008f66fe513717de7ca693bd6dc45b

SHA256
32f3923b0239cc901263ef48da48fded9e19e5c738fb72479ab63e045cf2fc00

SHA512
5791d4cfb0a7b49fb9d0176fa3fab22224f138cae15af6fbfbab4c68895b063aaa24600a56bdf9c089fc3a6ddb3cfffa864bbb702c40d9346bd076e68959e6f9

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.371\RCX583E.tmp

Filesize
90KB

MD5
87719795f1279cb6ed1f85833d469007

SHA1
c73ca58ccfd8b7f91a79034ece8c346914efe596

SHA256
9d2f7cdb64b06c8b556a4aa7876a5e4d31a4a5b5600a32c5e36a7b226c64edd5

SHA512
e9d852881c49cc9de287efb8298907f2415d754982cfe62ee7fa904b02608db251af3d5f56302bccea62489e85f83a183de3611778e5813626252fd8165fdc49

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\RCX58B1.tmp

Filesize
118KB

MD5
34b923320ea23512cba38db535c3fb06

SHA1
161a01b989d086074488b178073e5cd891c452e8

SHA256
9c164795ab939eeadfd13ce5eaf4790849a30c42715e291913f1db3dfcbd02a5

SHA512
3b38625a9f262cc08a0eb4f6c4b14c3c8e6d1f6b1e984ce1d522c40de92a19860698a6641536f70d7eb326038755d950f51764b5512f513667bb959bec47f0d2

Download Submit
C:\Program Files\7-Zip\7z.exe.Exe

Filesize
637KB

MD5
1163b9ee6ef077f6a4ab1d872ce8425c

SHA1
58eadccb558613428d7fe94f185304d468de7efe

SHA256
f57d351523990ac57b963a759d32041ed19add03552cc4f8dfa8baae175adc66

SHA512
57aa141b529b9742cf03cd90fdea6016b77c885b0f67dcdc344396ab66564106c71b5bc2a21d5194d02166ec6981a014c4788c01c0c992a1180397629b53611e

Download Submit
C:\Program Files\7-Zip\RCX48FD.tmp

Filesize
91KB

MD5
a402ff457ebbd85e4f5e7f647bd97701

SHA1
c89b786623033d5a4e30d2130e88baa7f2c6a214

SHA256
69e3871728ce42ee46119d2f9dabb195bac6c949faf1c7debec99a1e9905201b

SHA512
67e13eac5517efe2460428e17ec437e87d8aa7d6b6357932efbf5be34aaad794af7f94435a77a6af7d0c4172031f9650eda5f73a1358def65964b601583322c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\RCX4A1C.tmp

Filesize
91KB

MD5
21b2afe2b7a1f7a9dbc0e1d1ef93a712

SHA1
3222c94f2f457b16f01b1a7ebfca35382b037a75

SHA256
9ace1817c3e5736d5b86c95809c45a3df219a8abf4078022ba099f37b60f684a

SHA512
c5baf41242899c0f71bde14ff947a6be9a7d682367be8493767529bb73a93051579f32bb08aec92e43a1569ade7a0401dd9182d691c3ca01f56b8a059ad339ea

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\RCX4CDD.tmp

Filesize
156KB

MD5
2a30d3555f8dc10a40b40fd6fd975622

SHA1
206d37e22beb6bd269fff9b8c685d34c44f40561

SHA256
368454fbae7e6af10ee7fc818e37f30f3aa31a2d69e8adb18e71d64203496a62

SHA512
05faa785ca478289e17120ec45bc19297f84ff572e051f4c3f70abdef484bd1ce43ac80a8b4847f1ee0adefc528be8fe3e17633eb715671d8163a18155a623e6

Download Submit
C:\Program Files\Mozilla Firefox\uninstall\RCX4D41.tmp

Filesize
99KB

MD5
8bf62cf8fc663f35aea0fcc8388138cc

SHA1
caff0a288c1eaa5a2c43ad4a1787a892718a2f29

SHA256
ae89218d6415eebd9ada2a23e4b36fb114659026d5952cc99bc3d4e1b6543271

SHA512
7fe823a37d1b4c6fc27ceaa073041b91388360354fcdd763bed3632f69a601b7ff1dd6b6b78f124e8abe53fb98a18b90a7ec03b461f6df21dcb316dbf4ee50b6

Download Submit
C:\Program Files\VideoLAN\VLC\vlc.exe.Exe

Filesize
1.0MB

MD5
d20856f65bb15ffb68e3fd335a8f2a0e

SHA1
2dc9a4c341060171f66b1b7165ccd1d0f9f8cf28

SHA256
3fe4eeefea287b54d57eb0299dcfca1a7f39e7c7d42a3fc175c3fe6498876297

SHA512
6fd951431f61a3d9381a7869af982bfaefccbf57d37852b04e2964ff3a4c47a6b1e5cb624175ac187a3607c2f008073ae3d28f611ecf91de73467ad1e795bf73

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aBB9F.bat

Filesize
728B

MD5
3f1752d4479a3bb358b55b0bafdbd089

SHA1
2cfaef937710f1f1fe9b8f1e41e1126556356506

SHA256
babfe81f100f004cdcc51692959b89d0434c8c2b593008d0c15bb3a2e7335c1e

SHA512
4d7ab120fb830bc14f56b5eaa0b77447f8db5fccf1ee8bca7fe002f24e036d62040ddf9c3dd5b91311e82cb99cb45384b02b6e4e014058e08cab0cfe7a7c360d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe.exe

Filesize
5.3MB

MD5
1862d5f0e9903c6c6dda216f0755a581

SHA1
6721684d8fa7cebc21a4507671db37f0bbcd4a42

SHA256
80935f6ce2b782ad94e30e5e3d7b7e2b22d96696a1f266e00855b98b994a5321

SHA512
40d0eabbe1945e4097720ce996481a21549a0a0b9089270622c67977f8a819f959221f4b9c252a90a817345be17170c12ee8b18d62e7c7a50ffe08d1e897c0ec

Download Submit
C:\Windows\Logo1_.exe

Filesize
93KB

MD5
176ca437b5cb121deb548be2f7061b0d

SHA1
7cd7bbe31d411a368236ddd490e7ff1eaa659fd1

SHA256
28f394e55e4bfa629c8f844cc265e9d529795aaba4d59e17b97d8a638f9293ec

SHA512
33e18b7025106cebcef26486d48beba282568241fd1117f45211f7151cfb3489cbf37703d03109c8b6a481a61e3c9668f804933592df8196e96c1c8e107cdb1f

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
842B

MD5
6f4adf207ef402d9ef40c6aa52ffd245

SHA1
4b05b495619c643f02e278dede8f5b1392555a57

SHA256
d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

SHA512
a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

Download Submit
memory/3492-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3492-996-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3492-1122-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4564-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download