201d6644b782ca9b6abd3b3424c6592feb0e61c6452e6b4349884922576baa86

Analysis

max time kernel
89s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 05:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Size

9.4MB
MD5

e7d206d0c935a03cf058a5baf75ab686
SHA1

0cd04695cf4cde1c8b904885e40fd66f2db2ef1d
SHA256

201d6644b782ca9b6abd3b3424c6592feb0e61c6452e6b4349884922576baa86
SHA512

0aea7ba28cb5926f63f9513446547cfc04a16320de7ed1606d1fcb0613bba1be291296c8ee8ecc1cbedd764046417b9ffa7b0ed408e52c1b5a730836c9f1cc92
SSDEEP

196608:g8cEXTRiA3JjtvqiAxhv9sg1tKCTpYAQEWrqufezvGWUJ8:XcYRiIt07vJYZEW2uGz+WUJ8

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
File opened (read-only)	\??\B:	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
File opened (read-only)	\??\G:	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
File opened (read-only)	\??\J:	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
File opened (read-only)	\??\W:	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
File opened (read-only)	\??\Y:	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
File opened (read-only)	\??\N:	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
File opened (read-only)	\??\R:	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
File opened (read-only)	\??\M:	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
File opened (read-only)	\??\S:	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
File opened (read-only)	\??\T:	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
File opened (read-only)	\??\V:	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
File opened (read-only)	\??\X:	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
File opened (read-only)	\??\I:	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
File opened (read-only)	\??\P:	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
File opened (read-only)	\??\O:	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI4C7B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4CDB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4DBA.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4CAB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4CEB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4D0C.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4DDB.tmp	msiexec.exe
File created	C:\Windows\Installer\e574b90.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4C2C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4D3B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4D7B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e574b90.msi	msiexec.exe

Executes dropped EXE 3 IoCs

pid	Process
2244	lite_installer.exe
3460	seederexe.exe
1072	sender.exe

Loads dropped DLL 9 IoCs

pid	Process
2684	MsiExec.exe
2684	MsiExec.exe
2684	MsiExec.exe
2684	MsiExec.exe
2684	MsiExec.exe
2684	MsiExec.exe
2684	MsiExec.exe
2684	MsiExec.exe
1384	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\SearchScopes	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Main	seederexe.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	seederexe.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E88DCCE0-B7B3-11D1-A9F0-00AA0060FA31} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000cf75554c2e62da01	seederexe.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
4648	msiexec.exe
4648	msiexec.exe
2244	lite_installer.exe
2244	lite_installer.exe
1072	sender.exe
1072	sender.exe
1072	sender.exe
1072	sender.exe
2244	lite_installer.exe
2244	lite_installer.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Token: SeIncreaseQuotaPrivilege	4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Token: SeSecurityPrivilege	4648	msiexec.exe
Token: SeCreateTokenPrivilege	4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Token: SeAssignPrimaryTokenPrivilege	4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Token: SeLockMemoryPrivilege	4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Token: SeIncreaseQuotaPrivilege	4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Token: SeMachineAccountPrivilege	4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Token: SeTcbPrivilege	4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Token: SeSecurityPrivilege	4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Token: SeTakeOwnershipPrivilege	4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Token: SeLoadDriverPrivilege	4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Token: SeSystemProfilePrivilege	4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Token: SeSystemtimePrivilege	4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Token: SeProfSingleProcessPrivilege	4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Token: SeIncBasePriorityPrivilege	4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Token: SeCreatePagefilePrivilege	4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Token: SeCreatePermanentPrivilege	4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Token: SeBackupPrivilege	4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Token: SeRestorePrivilege	4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Token: SeShutdownPrivilege	4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Token: SeDebugPrivilege	4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Token: SeAuditPrivilege	4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Token: SeSystemEnvironmentPrivilege	4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Token: SeChangeNotifyPrivilege	4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Token: SeRemoteShutdownPrivilege	4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Token: SeUndockPrivilege	4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Token: SeSyncAgentPrivilege	4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Token: SeEnableDelegationPrivilege	4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Token: SeManageVolumePrivilege	4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Token: SeImpersonatePrivilege	4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Token: SeCreateGlobalPrivilege	4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
Token: SeRestorePrivilege	4648	msiexec.exe
Token: SeTakeOwnershipPrivilege	4648	msiexec.exe
Token: SeRestorePrivilege	4648	msiexec.exe
Token: SeTakeOwnershipPrivilege	4648	msiexec.exe
Token: SeRestorePrivilege	4648	msiexec.exe
Token: SeTakeOwnershipPrivilege	4648	msiexec.exe
Token: SeRestorePrivilege	4648	msiexec.exe
Token: SeTakeOwnershipPrivilege	4648	msiexec.exe
Token: SeRestorePrivilege	4648	msiexec.exe
Token: SeTakeOwnershipPrivilege	4648	msiexec.exe
Token: SeRestorePrivilege	4648	msiexec.exe
Token: SeTakeOwnershipPrivilege	4648	msiexec.exe
Token: SeRestorePrivilege	4648	msiexec.exe
Token: SeTakeOwnershipPrivilege	4648	msiexec.exe
Token: SeRestorePrivilege	4648	msiexec.exe
Token: SeTakeOwnershipPrivilege	4648	msiexec.exe
Token: SeRestorePrivilege	4648	msiexec.exe
Token: SeTakeOwnershipPrivilege	4648	msiexec.exe
Token: SeRestorePrivilege	4648	msiexec.exe
Token: SeTakeOwnershipPrivilege	4648	msiexec.exe
Token: SeRestorePrivilege	4648	msiexec.exe
Token: SeTakeOwnershipPrivilege	4648	msiexec.exe
Token: SeRestorePrivilege	4648	msiexec.exe
Token: SeTakeOwnershipPrivilege	4648	msiexec.exe
Token: SeRestorePrivilege	4648	msiexec.exe
Token: SeTakeOwnershipPrivilege	4648	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
4072	2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 2684	4648	msiexec.exe	86
PID 4648 wrote to memory of 2684	4648	msiexec.exe	86
PID 4648 wrote to memory of 2684	4648	msiexec.exe	86
PID 2684 wrote to memory of 2244	2684	MsiExec.exe	87
PID 2684 wrote to memory of 2244	2684	MsiExec.exe	87
PID 2684 wrote to memory of 2244	2684	MsiExec.exe	87
PID 4648 wrote to memory of 1384	4648	msiexec.exe	89
PID 4648 wrote to memory of 1384	4648	msiexec.exe	89
PID 4648 wrote to memory of 1384	4648	msiexec.exe	89
PID 1384 wrote to memory of 3460	1384	MsiExec.exe	90
PID 1384 wrote to memory of 3460	1384	MsiExec.exe	90
PID 1384 wrote to memory of 3460	1384	MsiExec.exe	90
PID 3460 wrote to memory of 1072	3460	seederexe.exe	91
PID 3460 wrote to memory of 1072	3460	seederexe.exe	91
PID 3460 wrote to memory of 1072	3460	seederexe.exe	91

C:\Users\Admin\AppData\Local\Temp\2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_e7d206d0c935a03cf058a5baf75ab686_magniber.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4072

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0EDFA33DDB262269CE3A72D392B7CF60
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\F4E27C86-22F9-410F-855A-133B4BDBD8DE\lite_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\F4E27C86-22F9-410F-855A-133B4BDBD8DE\lite_installer.exe" --use-user-default-locale --silent --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2244
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 08AA87EC86FABC8EBBDE509F535836FB E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Users\Admin\AppData\Local\Temp\F80030A3-3AC4-4205-BB76-83FBDB796490\seederexe.exe
    "C:\Users\Admin\AppData\Local\Temp\F80030A3-3AC4-4205-BB76-83FBDB796490\seederexe.exe" "--yqs=" "--yhp=" "--ilight=" "--locale=us" "--browser=" "--browser_default=" "--yabm=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\A5613527-4FF7-4997-B3D3-B43492E28800\sender.exe" "--is_elevated=yes" "--ui_level=5"
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:3460
  - - C:\Users\Admin\AppData\Local\Temp\A5613527-4FF7-4997-B3D3-B43492E28800\sender.exe
      C:\Users\Admin\AppData\Local\Temp\A5613527-4FF7-4997-B3D3-B43492E28800\sender.exe --send "/status.xml?clid=2333355&uuid=9b49c702-3d80-4ea7-b1c3-4eab676b34ce&vnt=Windows 10x64&file-no=8%0A15%0A25%0A38%0A45%0A57%0A59%0A102%0A106%0A108%0A111%0A125%0A129%0A"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e574b91.rbs

Filesize
591B

MD5
52b45c2829f8c1cf292d8cd94191f3ba

SHA1
aef09e24fe0ee3ce3f264c311c9081b47fcb0ee0

SHA256
3a243dc3c9e7175f1a429bfa369424b799f04b1f751049c990cda0a03f438192

SHA512
a9ea4d264d52cd97d01bceaa19c2f7fc3b13264f3a65cbf07de01f01918f95b7fa9927fc80ee9aa67716bd711d2efae025aef3d2beb16a9a2df99eb54ae28a57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_A026C9CD7BA14377D055F4A2325D4501

Filesize
1KB

MD5
36b0456eb066795b76b511da1620cc34

SHA1
1d24a685f7d35cc54433ea65d632eb064fe26115

SHA256
d09ceb6bd658d949dae45e6618d986580f4ab80a91c8dc490ad70fbc205a5234

SHA512
5554019e38af729841e8e18cfd17136d182d1cade52a44b4e7dc0ae38ba96f10d0b138a4196ec83caff38e88d4eb74ca90995ada6078fa428a82519e4eee72d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\769F85394FB15C375FF89A7488274D5B_22252D7CC6CD0EA80FCE3FF30A53AFB2

Filesize
1KB

MD5
98b7188ad5a79a704ce7478c153a2afa

SHA1
4d45db8a06623a269fb49e84d1ee2e076af75f2f

SHA256
9c106ba0aa3d125c9d0f711754ab18305cb6ab89af7b349bdc30bded4a894c4a

SHA512
d4ea0ea30cb3f26e3f8df292764edd1ee6c179b0dd0f432465902a211e83ddfb946c36f34f4c55a7a0e74ae8b177e64c1ea61d397f7f153c47e26996262aaf6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_4BB72A60CF9C652B353353202101C0E4

Filesize
1KB

MD5
31be1855a19d3ab3ca84b4ba2d257f11

SHA1
d59bf30e8cc27f77234055d7172cbb5cdec2d8b5

SHA256
2b001aa37a2fded22ad4a82618b84dfb01e76509a3354d6fc3d5b681a097ca5f

SHA512
7e6e213c63febbf5a2ee253f29c6fd1329c19976a8a9d1a2976db8a43d3ae5be4631d661b992692bb406f54b0a8c3066c14f1680e75cfcef59f1b7b3b47bbc15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDA81A73291E20E6ACF6CACA76D5C942_4EA93225B46C4B45501FF0DDE9E306D0

Filesize
1KB

MD5
71f05a029bf4a4b0ebd907f4dd3db5ca

SHA1
4120dd459d202fa485bb03413035bc9c8a753aca

SHA256
1145a89a1772d8a2072dc7f2accf05898116488839d8e9ddb069ad1ef037c8be

SHA512
8fbf95632273e6a4594eeaa304430a34135a5e8e0e32558ee18db1192f66eca8ded4660078d94c5fcd0d0bcb5ca337aad695abfbed7bc601e6fa3426c37e9836

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_A026C9CD7BA14377D055F4A2325D4501

Filesize
508B

MD5
a5a34d9c32e3613af19a73fdb7490840

SHA1
80a512e2880ed11d40d93d9fbf3fc3c701eb150c

SHA256
007456399b2b61166fbfa5408c1f63d1f1d3c439e4659929046d2ab8618ecbbf

SHA512
8bea0469a29d5caebb725176eae6587ac2285e2fff269d4cdcbde9b82a9338589efb888103e89e90f2ed546129d5f6da65c04fc706eb55563dcd69575a89c895

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\769F85394FB15C375FF89A7488274D5B_22252D7CC6CD0EA80FCE3FF30A53AFB2

Filesize
522B

MD5
193f4c1712151602cf49e7c2bb4cd43e

SHA1
176905749869ccf502328382d206ff12bd0ad0de

SHA256
31349f1d0bc8802e1f8d5b1374d8ac516e94c6ca60a9c5deb24d300a8f92ce7c

SHA512
bc7a10cf67c2c044ac17f6d5ed172634cf41bba6c237d1ed33c90c841c466e20818dd192d72f75d6dafcea73c7842b9226cb99f2075441933430cdae3dc8f1f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_4BB72A60CF9C652B353353202101C0E4

Filesize
502B

MD5
86b9aede182ed3ad04aa7466e03cd112

SHA1
b45f5a0c35ebb4928c3bb29d5d7185550799f901

SHA256
26c3265822ea5889b7196555f7649b3e62a7afc89963d6533fa442fa59795f1b

SHA512
6b2ac5b9364e5c668bafbb9e8ff53616d02249ce27097bf90619b65b626ed586ef6e750713530354b2466f330c3745db498a8bb10810a714a9d6d1128ae29777

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDA81A73291E20E6ACF6CACA76D5C942_4EA93225B46C4B45501FF0DDE9E306D0

Filesize
526B

MD5
8d5a0cd648a824f98e918337a8ae77da

SHA1
3d91c3fa7d7a2541091f0372b246e6c95a65d7ac

SHA256
d1725e3cc43e370f91e52807ef755a15e953a422557798d86b8e56a4996b86df

SHA512
8def5d19621adf10ad9d71da7138bd15f5b54bc88704c3d23b625c8cc365335927792828db600efafceaca6bdfad8fd5dc9f8b2f5a572a7da1a3fe8836a10bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5613527-4FF7-4997-B3D3-B43492E28800\sender.exe

Filesize
264KB

MD5
eb796e1048dd306d7ef2d09189b98bc2

SHA1
c2a6ee261e26619bea43e53a51407ccc6a9e0778

SHA256
b8dbc06ff7b0e10451a773e054337854b957be6650d5839b27f92706c8f75aa3

SHA512
26375f5e039e51db7f990f6e7183aabf9cfea48c6f5e25bea588f26ea9a5e7a704485584eaab9f465111158952a07b9a87943be7986e0c0abca26e850909d2eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4E27C86-22F9-410F-855A-133B4BDBD8DE\lite_installer.exe

Filesize
415KB

MD5
4958fe818ee0910209de2482bceed571

SHA1
c687e280b374c25b17a7f70e8c78f0ab331857bc

SHA256
3317ab61f7fbd98199f961ff8b3b68e310c12b6a76312819daed873d172054d4

SHA512
b54d4727200d9c473b3b2fde613a7ace8220aaa7ac52e0e29ae39aa22bd05c15fabb47b119b2085f81bbc864100fd78bfe2d74a1c122a80d143be17c6eb25cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\F80030A3-3AC4-4205-BB76-83FBDB796490\seederexe.exe

Filesize
7.4MB

MD5
f4a72fa8bd9c0583bfa4e1e5a9b2780e

SHA1
00ef9ebc448f345a26598ea68ff4b5737d0d9fbb

SHA256
b4a72919d83b22ad06aca95fc8603e3b00f5804f5cc3f53dbd1c6e16ff2b8bf9

SHA512
9a27b6a0245987496ae17ebb3610d231245594db4a1c4fdf19ec004cf7bfe5a67246946c6d8d441824609bb2d6fee1287688ec21c6177d4394e8f7c9d82f5034

Download Submit
C:\Users\Admin\AppData\Local\Temp\YandexSearch00000.log

Filesize
35KB

MD5
b3f122076b2760fcfe001bc1126b973f

SHA1
920ee052c4065dd39f812d7f4f16a5dfe51278f8

SHA256
149336d7e100d334d29ec3718170657452096ca965c4ca425c9a92699897fecd

SHA512
19812e1e988f1bc6e900c8c3dcd35c2dd877cd6ea5335026e6ca0d2880bd3b004f1bed080c393f3692ab2589ef3dfbf23609f33ad8c957dabcf9a3cd126f7a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\be82ada3-ed05-49bb-80ec-15d490961d97\sovetnik-at-metabar.json

Filesize
1KB

MD5
5a40649cf7f6923e1e00e67a8e5fc6c8

SHA1
fc849b64b31f2b3d955f0cb205db6921eacc1b53

SHA256
6d432ba7096090837f9533a33a686c846ad67aed8ecc43af7ce8af42649cd51a

SHA512
0fc42a2cc61528b14478f4b9ae098ea90e6b05ddbe10f3a6cdd6326d0d8e6185b49d2b8143b76a9f329bdc277cf02b54d98f374edd65df68a1ffc41e1c817786

Download Submit
C:\Users\Admin\AppData\Local\Temp\be82ada3-ed05-49bb-80ec-15d490961d97\sovetnik-at-metabar.xpi

Filesize
688KB

MD5
ab6d42f949df8d7e6a48c07e9b0d86e0

SHA1
1830399574b1973e2272e5dcc368c4c10dbbe06b

SHA256
205ebf52c47b42fa0ad1a734a1d882d96b567e15a32b19bdb907562db8ea09e2

SHA512
6c4f9bb726384c87b6523e08339f7821ad4ec8717b26db902ca51df74eb89b46e4ded1504a131683b07b2bba3e6e911a549a8a83b2aad3971047c0fe315a1ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\be82ada3-ed05-49bb-80ec-15d490961d97\vb-at-yandex.ru.json

Filesize
5KB

MD5
856242624386f56874a3f3e71d7993f4

SHA1
96d3199c5eebb0d48c944050fbc753535ee09801

SHA256
d86ed80d2a9e4e1af843a991a6553a2fefd5433b2144be0cfb63a2f18deb86be

SHA512
76d440fe2ed535677a1d249b289463bfedfc5d2afc0e269e4593bb113393f165856c07117735cf3e5a230b5d04a61c7126df24a466594d8c27b47b2047834a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\be82ada3-ed05-49bb-80ec-15d490961d97\vb-at-yandex.ru.xpi

Filesize
1.7MB

MD5
e68cea8c6d4b16641f30dd930a952ebb

SHA1
7e8c4b51e6e56f35a2983ab6cb121341aeda565c

SHA256
a7f3f788323a12158d66f341c4711d71fc2244a2b07a68fb8df4baec0ff76f35

SHA512
96351e36a4c5020ed464b96b72bb3063db819981440bde7c6c3a50f7fe470e1d70f0350ec7c4bcd4808fcabe2ddfbdebfc7039ae2248c1455e2245f53ce44ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml

Filesize
529B

MD5
58321797cfa5bde73102e2ba51ee0ddb

SHA1
10553e0f1a3514638a3c51172e0f339ab21f6f00

SHA256
99a2809ca37a79752647dbec0d69890fe952b4eb160fb278aeec0eff7e323c08

SHA512
684be4478b9b80bd3e8bcf19f2d33f320fc00141c6275e49699ff6d0a5a470f07401e48e19c5882e4100dc69b2357d6df24baebbc35fd979e326a4036b575367

Download Submit
C:\Users\Admin\AppData\Local\Temp\omnija-20244918.zip

Filesize
14.1MB

MD5
adae6ea94a958db9bc7263c8f1ab82c2

SHA1
e501817e47cb66d843ab4dbb985fdc58247c1a34

SHA256
1fab99ff2fc21c75d8d69b56df3dd04453626c42b6eed58eb55aa42d17a92232

SHA512
4ae7458b9c1b3c73576f1461100bfbc2a29f9864f5403fd2c9f534e4d6b76fe35a15f8af7ea19f10d8dd6f7be98e9ae6d85031fb0f627a6220760dedd731a9c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vendor00000.xml

Filesize
508B

MD5
362c4a66b04c9a4dbd2909525cb437c9

SHA1
77b9003e9f75239ac40650b4d2502f9a1916d243

SHA256
3860c627a14faa4e9ade218acdac94614fc8e6d168f4c7c734e13c66b11d1cd6

SHA512
3f7bcfa87b384c4b57561cc98ecda4776b68157b02758a4bbe5122d571a9cd92b2db62e9c1d0f6d03c19daf333e43ae6e4608581d16450c1faba529dcf0ef4c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi

Filesize
9.1MB

MD5
dac708e01d72732184cc8950826624a0

SHA1
71385ea8cdcecb5f2bc9f481dfd7f14ec99d762a

SHA256
19dbfbd93de1022453ed126ed7cf3c86c5383496b24e17e801eccb521e30ec2a

SHA512
0d5a40b5e01f5e831c27523a3c1a602d3c2db69d36bd7e38b9caa42f9f2ffdf1db566e37b8fb833a63b16dfb0ad75c5106ff2f602d60ebbaf44bd661322f0d4b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2ohppiy3.Admin\places.sqlite-20240218054957.531889.backup

Filesize
68KB

MD5
58b4f36e4874cbc6a0a930e91ffb2c89

SHA1
207138ddac715a55c24babb609fb1a480658f3f6

SHA256
69d959aa7616101ea0d194cbb3afa08047ea7a9d169ca72a9d375f7e96125e48

SHA512
cd6b989135fa8d7951606e1ff1285fe3f2ac2859414a4c88b3b7c71e02c765988775ce60d4e382183528d55cffdfd9fb08be1e9b96f692ad50ba473a9f84edee

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks-20240218054957.641269.backup

Filesize
1KB

MD5
3adec702d4472e3252ca8b58af62247c

SHA1
35d1d2f90b80dca80ad398f411c93fe8aef07435

SHA256
2b167248e8136c4d45c2c46e2bff6fb5e5137dd4dfdccde998599be2df2e9335

SHA512
7562e093d16ee6305c1bb143a3f5d60dafe8b5de74952709abc68a0c353b65416bf78b1fa1a6720331615898848c1464a7758c5dfe78f8098f77fbfa924784c0

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Preferences-20240218054957.641269.backup

Filesize
313B

MD5
af006f1bcc57b11c3478be8babc036a8

SHA1
c3bb4fa8c905565ca6a1f218e39fe7494910891e

SHA256
ed6a32e11cc99728771989b01f5ae813de80c46a59d3dc68c23a4671a343cb8c

SHA512
3d20689b0f39b414349c505be607e6bfc1f33ac401cf62a32f36f7114e4a486552f3e74661e90db29402bb85866944e9f8f31baba9605aa0c6def621511a26af

Download Submit
C:\Users\Admin\AppData\Roaming\Yandex\ui

Filesize
38B

MD5
ce912de249ba6e29d50235453123e2c3

SHA1
683ff6035a0436741e0b9a59e071885463da89e2

SHA256
a75d30ce963d8a8aa0c8a358d9cd862d25ab4c244005faf069a137e713e00e36

SHA512
0fab760a719764761ce24afa64c6a68cd8e7bc1d005502573011e9003c469083692b28074389e0d1db72cb50746183d16340062c68a252c2aab1a67127a933d0

Download Submit
C:\Windows\Installer\MSI4C2C.tmp

Filesize
171KB

MD5
cb48b56d733e4e923d368674b02b4459

SHA1
92362e400cc53c2729d3d97a753c2ef24cacf614

SHA256
3e3bcad00d145302e91c37c763144a37e694430b430527a440cc46c700c33f21

SHA512
aa89d1e61a318751f10a88802ad4713c7b708e8074acc0a2b80c4e763f53bcfbf712b27049ccf53c2f94a18be9ded082ef8206804b63195aac1e97c44cf97489

Download Submit
C:\Windows\Installer\MSI4C7B.tmp

Filesize
190KB

MD5
351e5c03e84f43ef17ecac2b77b8f7e1

SHA1
4d71bcb5cc3ff04add17245f9e2846398fecceb7

SHA256
5a1e53a4295f93005f2188d1bba6d61710193102cb5bd144e487c018988bb1bc

SHA512
eabcea3966fa320055e320b271b68dcb32df5af934cf43ca2dec76b2f255ffb781816739a92470a125b802a4e9cc7e907f581a5268b3745e84e3bf29a385dbd6

Download Submit
C:\Windows\Installer\MSI4DDB.tmp

Filesize
202KB

MD5
d773d9bd091e712df7560f576da53de8

SHA1
165cfbdce1811883360112441f7237b287cf0691

SHA256
e0db1804cf53ed4819ed70cb35c67680ce1a77573efded86e6dac81010ce55e7

SHA512
15a956090f8756a6bfdbe191fda36739b1107eada62c6cd3058218beb417bdbd2ea82be9b055f7f6eb8017394b330daff2e9824dbc9c4f137bead8e2ac0574cd

Download Submit