Malware Analysis Report

2025-08-10 14:17

Sample ID 241016-bmcrlszaqj
Target 2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil
SHA256 be204886720c44fa29e5e6757f1bac479353d931c75399a58de2b3ccb7cd2834
Tags
bootkit discovery persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

be204886720c44fa29e5e6757f1bac479353d931c75399a58de2b3ccb7cd2834

Threat Level: Likely malicious

The file 2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery persistence spyware stealer

Downloads MZ/PE file

Reads user/profile data of web browsers

Checks computer location settings

Writes to the Master Boot Record (MBR)

Checks installed software on the system

Checks for any installed AV software in registry

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Unsigned PE

Modifies Internet Explorer settings

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 01:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 01:15

Reported

2024-10-16 01:17

Platform

win7-20240903-en

Max time kernel

118s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe"

Signatures

Downloads MZ/PE file

Reads user/profile data of web browsers

spyware stealer

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Avast Software\Avast C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\AntiVir Desktop C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\SOFTWARE\Avira\AntiVirus C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
Key opened \REGISTRY\MACHINE\Software\Wow6432Node\Avast Software\Avast C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avast Software\Avast C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 analytics.ff.avast.com udp
US 34.117.223.223:443 analytics.ff.avast.com tcp
US 8.8.8.8:53 license.piriform.com udp
US 8.8.8.8:53 www.ccleaner.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 ipm-provider.ff.avast.com udp
GB 23.44.65.89:80 www.ccleaner.com tcp
US 34.111.24.1:443 ipm-provider.ff.avast.com tcp
US 34.160.176.28:443 shepherd.ff.avast.com tcp
GB 23.44.65.89:443 www.ccleaner.com tcp
GB 23.218.79.229:443 license.piriform.com tcp
GB 23.44.65.89:443 www.ccleaner.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
GB 142.250.178.3:80 c.pki.goog tcp
GB 23.218.79.229:443 license.piriform.com tcp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.178.3:80 o.pki.goog tcp
GB 142.250.178.3:80 o.pki.goog tcp
US 8.8.8.8:53 download.ccleaner.com udp
GB 2.23.221.225:443 download.ccleaner.com tcp
US 8.8.8.8:53 ipmcdn.avast.com udp
US 34.117.223.223:443 analytics.ff.avast.com tcp
GB 2.23.221.53:443 ipmcdn.avast.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp

Files

memory/2580-0-0x0000000001350000-0x0000000001351000-memory.dmp

memory/2580-1-0x0000000003740000-0x0000000003741000-memory.dmp

memory/2580-2-0x0000000003750000-0x0000000003751000-memory.dmp

memory/2580-3-0x0000000003760000-0x0000000003761000-memory.dmp

memory/2580-4-0x0000000003770000-0x0000000003771000-memory.dmp

memory/2580-5-0x0000000003780000-0x0000000003781000-memory.dmp

memory/2580-6-0x0000000003790000-0x0000000003791000-memory.dmp

memory/2580-7-0x00000000037A0000-0x00000000037A1000-memory.dmp

memory/2580-8-0x00000000037D0000-0x00000000037D1000-memory.dmp

memory/2580-15-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

memory/2580-9-0x0000000003ED0000-0x0000000003EE0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

MD5 79456bcf2e25664215de2bfaf08c4ec9
SHA1 9138143ec4b0fbbc7fd01e702816021192831f0c
SHA256 89060ea5f851ebf1c19da4244d3c38b7a89674b1e56c261ee09a650b71d64784
SHA512 886b0c2defa8ccb299907207a6f3e7103ae52dfa6f973513efb52801ea097228b04b76001a158f513e7876542ce83bb77c41ca24774e1693692105a1a3da68a2

memory/2580-40-0x0000000004D20000-0x0000000004D28000-memory.dmp

memory/2580-48-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

memory/2580-54-0x0000000004BC0000-0x0000000004BC8000-memory.dmp

memory/2580-56-0x0000000004C00000-0x0000000004C01000-memory.dmp

memory/2580-65-0x0000000004BE0000-0x0000000004BE8000-memory.dmp

memory/2580-68-0x0000000004D10000-0x0000000004D18000-memory.dmp

memory/2580-70-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

memory/2580-75-0x0000000004C00000-0x0000000004C01000-memory.dmp

memory/2580-131-0x00000000037D0000-0x00000000037D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2TORU31WFERIQLY17JSN.temp

MD5 3cdefa393c604cd92db869a3050800f1
SHA1 3147a19f5b1ff37534153374fe5e6132bd9ba617
SHA256 4dfe3bdf3492c4eaa476c445dea51d3f0e44fb9470cf68a44c103e996db47d4f
SHA512 2d8d9cf2801aa7c834b610c614c01333b1ff914597db53f586c7868259fd57b2141974c965bd2d12ea869a2e208e1ba26900a75f1d61bb11f3b2c12134bb0d91

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\eb2cfcf2e80edf70.customDestinations-ms~RFf76f74a.TMP

MD5 9bf6b7861bc828436fef63057c102183
SHA1 14c10e2f8069dbe3bb27c271414174e258e8b83a
SHA256 537c6e84db9bc12618e5ab17d89126f1d454051a2098d12d27fac4297fa180c7
SHA512 80cacfd21b0dee4121fb5a9d3d82d48bd25429dae744bb73efe12e8b1f9888fc9764a1cd64662de812bce8a25c3b1930eb035892deb84b280617c0cb01125b4b

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 01:15

Reported

2024-10-16 01:17

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe"

Signatures

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Avast Software\Avast C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Avira\AntiVirus C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
Key opened \REGISTRY\MACHINE\Software\WOW6432Node\Avast Software\Avast C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avast Software\Avast C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_1feb149f99f559fc0c204359a6ae4abe_magniber_revil.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4156 -ip 4156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 3012

Network

Country Destination Domain Proto
US 8.8.8.8:53 analytics.ff.avast.com udp
US 34.117.223.223:443 analytics.ff.avast.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 www.ccleaner.com udp
US 8.8.8.8:53 license.piriform.com udp
GB 23.44.65.89:80 www.ccleaner.com tcp
GB 23.44.65.89:443 www.ccleaner.com tcp
GB 23.218.79.229:443 license.piriform.com tcp
GB 23.44.65.89:443 www.ccleaner.com tcp
US 8.8.8.8:53 223.223.117.34.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 89.65.44.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 229.79.218.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 ipm-provider.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 34.111.24.1:443 ipm-provider.ff.avast.com tcp
US 34.160.176.28:443 shepherd.ff.avast.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 download.ccleaner.com udp
GB 2.23.221.225:443 download.ccleaner.com tcp
US 8.8.8.8:53 1.24.111.34.in-addr.arpa udp
US 8.8.8.8:53 28.176.160.34.in-addr.arpa udp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
GB 142.250.178.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.178.3:80 o.pki.goog tcp
GB 142.250.178.3:80 o.pki.goog tcp
US 8.8.8.8:53 225.221.23.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/4156-0-0x0000000000010000-0x0000000000011000-memory.dmp

memory/4156-1-0x0000000000D10000-0x0000000000D11000-memory.dmp

memory/4156-2-0x0000000003ED0000-0x0000000003ED1000-memory.dmp

memory/4156-3-0x0000000003EE0000-0x0000000003EE1000-memory.dmp

memory/4156-4-0x0000000003EF0000-0x0000000003EF1000-memory.dmp

memory/4156-5-0x0000000003F00000-0x0000000003F01000-memory.dmp

memory/4156-6-0x0000000003F10000-0x0000000003F11000-memory.dmp

memory/4156-7-0x0000000003F20000-0x0000000003F21000-memory.dmp

memory/4156-8-0x00000000065D0000-0x00000000065E0000-memory.dmp

memory/4156-14-0x0000000006770000-0x0000000006780000-memory.dmp

memory/4156-32-0x0000000007800000-0x0000000007808000-memory.dmp

memory/4156-36-0x0000000005C70000-0x0000000005C78000-memory.dmp

memory/4156-37-0x0000000005C60000-0x0000000005C61000-memory.dmp

memory/4156-39-0x0000000005C80000-0x0000000005C88000-memory.dmp

memory/4156-45-0x0000000007550000-0x0000000007551000-memory.dmp

memory/4156-42-0x0000000005C60000-0x0000000005C68000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

MD5 aeeb376d272dab65e659fee97433084d
SHA1 41fefaef05e45328738eacf9e4a81fddc0014258
SHA256 a2141befdb6e843ecac10bd5e418ae9fbff02256c677d33e6cec39869f772e0f
SHA512 27ad95f6bf5d67549afea5ff77e4ce6db92b74db6b90a3edb710b2e8dab13b2fe922ef390f78a905fab27e205abb577857f9b7bfc7060871ff40cbdd95576b26

memory/4156-57-0x0000000005D00000-0x0000000005D08000-memory.dmp

memory/4156-59-0x00000000075E0000-0x00000000075E8000-memory.dmp

memory/4156-62-0x0000000005C60000-0x0000000005C61000-memory.dmp

memory/4156-66-0x0000000007550000-0x0000000007551000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

MD5 70d1264030aee831391fa17bd8406640
SHA1 e521f86397c2ff09e43e1866ead7129428e410ec
SHA256 66499fd6c46a18b88d4d1f48522b7601a751262244eaa2eb138c7cc853362c1d
SHA512 a76dc3bf51ca0c5ba04912364f4be13ba0ae928e1e0742f39af221132089db44c0041a69900c93b41f5d0920d7c4788d7bfb1f3acf53df7a6ae2986e999f1238

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

MD5 6c7a2d83b4daafb11db02aa4c0328e6a
SHA1 296e81617383e72fea9937599afc897cfc105dfd
SHA256 ce6d1d3ac9f4ef2510235f6a8576cbd03d9240a736cd0d790472052536de4e55
SHA512 e279aa7504c7cd55f30f73fcabbda3ba9a8a420e6a162c3cd42a1c2a8a76eb9f89492137e3f81f0c481c11b51013dd13490763f82056c22d0008ebc7dcbf1c67

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

MD5 4a287e3e1b36754972e02f66f1a4416e
SHA1 f52c84f7af9e3a0e3c46e52b96501bec0f0eb09e
SHA256 c2d5fdd467a9e6a175fb82d2328319853312d04d86376ed47bfb7db08cdd9871
SHA512 0404640ff27a35be0235a5f5da9c21530d975d8e2b5570514f3dcd16abdf1a68d0d8247f72237cef18b153b35a022ca4e9f05a975cdb87c36c18c9f6e599b6c9