837865cb56654e962eb82218975907478bdf70c6270796a81cff5e3b24a62a51

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Size

8.8MB
MD5

3e2338b13253c52be4fdde848537e7a6
SHA1

caf841cc46e04bd986fbc5cdb0351746ca8a82ca
SHA256

837865cb56654e962eb82218975907478bdf70c6270796a81cff5e3b24a62a51
SHA512

d444c99792b2a1a0af5f953062bb1ac3978c3fc1e211c61a4be7414a04ecc763aa27b7bcc52d1d8915d717a3025e9aff9430991e13f5a90b02f3e2ac61785b8d
SSDEEP

98304:umCMLyAw3LNIsVqygGP0w1sBJ1QttoFCqkKq7NO55f0pmsOWrqufezvWq/vUv2Tu:KJBILX6svTCZWfFWrqufezvWqHUZ

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exe

flow pid process

28 460 msiexec.exe
29 460 msiexec.exe

flow	pid	process
28	460	msiexec.exe
29	460	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe

description	ioc	process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
File opened (read-only)	\??\E:	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
File opened (read-only)	\??\U:	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
File opened (read-only)	\??\T:	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
File opened (read-only)	\??\I:	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
File opened (read-only)	\??\P:	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
File opened (read-only)	\??\W:	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
File opened (read-only)	\??\O:	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
File opened (read-only)	\??\Y:	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
File opened (read-only)	\??\J:	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
File opened (read-only)	\??\X:	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
File opened (read-only)	\??\M:	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
File opened (read-only)	\??\Q:	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
File opened (read-only)	\??\S:	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
File opened (read-only)	\??\N:	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
File opened (read-only)	\??\R:	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
File opened (read-only)	\??\W:	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 16 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\SourceHash{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4984.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI47B8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4847.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI48A7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4867.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI48D6.tmp	msiexec.exe
File created	C:\Windows\Installer\e574537.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e574537.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4759.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4926.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI47E8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI49B4.tmp	msiexec.exe

Executes dropped EXE 3 IoCs

Processes:

lite_installer.exeseederexe.exesender.exe

pid process

3496 lite_installer.exe
3140 seederexe.exe
5744 sender.exe
Loads dropped DLL 9 IoCs

Processes:

MsiExec.exeMsiExec.exe

pid process

3972 MsiExec.exe
3972 MsiExec.exe
3972 MsiExec.exe
3972 MsiExec.exe
3972 MsiExec.exe
3972 MsiExec.exe
3972 MsiExec.exe
3972 MsiExec.exe
5068 MsiExec.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3496	lite_installer.exe
3140	seederexe.exe
5744	sender.exe

pid	process
3972	MsiExec.exe
3972	MsiExec.exe
3972	MsiExec.exe
3972	MsiExec.exe
3972	MsiExec.exe
3972	MsiExec.exe
3972	MsiExec.exe
3972	MsiExec.exe
5068	MsiExec.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

seederexe.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Main	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\SearchScopes	seederexe.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

msiexec.exeseederexe.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	seederexe.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E88DCCE0-B7B3-11D1-A9F0-00AA0060FA31} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 01000000000000003b07362b2599da01	seederexe.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exemsiexec.exelite_installer.exeseederexe.exesender.exe

pid	process
3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
460	msiexec.exe
460	msiexec.exe
3496	lite_installer.exe
3496	lite_installer.exe
3140	seederexe.exe
3140	seederexe.exe
5744	sender.exe
5744	sender.exe
5744	sender.exe
5744	sender.exe
3496	lite_installer.exe
3496	lite_installer.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

Processes:

2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Token: SeIncreaseQuotaPrivilege	3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Token: SeSecurityPrivilege	460	msiexec.exe
Token: SeCreateTokenPrivilege	3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Token: SeAssignPrimaryTokenPrivilege	3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Token: SeLockMemoryPrivilege	3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Token: SeIncreaseQuotaPrivilege	3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Token: SeMachineAccountPrivilege	3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Token: SeTcbPrivilege	3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Token: SeSecurityPrivilege	3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Token: SeTakeOwnershipPrivilege	3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Token: SeLoadDriverPrivilege	3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Token: SeSystemProfilePrivilege	3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Token: SeSystemtimePrivilege	3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Token: SeProfSingleProcessPrivilege	3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Token: SeIncBasePriorityPrivilege	3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Token: SeCreatePagefilePrivilege	3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Token: SeCreatePermanentPrivilege	3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Token: SeBackupPrivilege	3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Token: SeRestorePrivilege	3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Token: SeShutdownPrivilege	3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Token: SeDebugPrivilege	3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Token: SeAuditPrivilege	3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Token: SeSystemEnvironmentPrivilege	3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Token: SeChangeNotifyPrivilege	3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Token: SeRemoteShutdownPrivilege	3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Token: SeUndockPrivilege	3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Token: SeSyncAgentPrivilege	3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Token: SeEnableDelegationPrivilege	3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Token: SeManageVolumePrivilege	3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Token: SeImpersonatePrivilege	3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Token: SeCreateGlobalPrivilege	3660	2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
Token: SeRestorePrivilege	460	msiexec.exe
Token: SeTakeOwnershipPrivilege	460	msiexec.exe
Token: SeRestorePrivilege	460	msiexec.exe
Token: SeTakeOwnershipPrivilege	460	msiexec.exe
Token: SeRestorePrivilege	460	msiexec.exe
Token: SeTakeOwnershipPrivilege	460	msiexec.exe
Token: SeRestorePrivilege	460	msiexec.exe
Token: SeTakeOwnershipPrivilege	460	msiexec.exe
Token: SeRestorePrivilege	460	msiexec.exe
Token: SeTakeOwnershipPrivilege	460	msiexec.exe
Token: SeRestorePrivilege	460	msiexec.exe
Token: SeTakeOwnershipPrivilege	460	msiexec.exe
Token: SeRestorePrivilege	460	msiexec.exe
Token: SeTakeOwnershipPrivilege	460	msiexec.exe
Token: SeRestorePrivilege	460	msiexec.exe
Token: SeTakeOwnershipPrivilege	460	msiexec.exe
Token: SeRestorePrivilege	460	msiexec.exe
Token: SeTakeOwnershipPrivilege	460	msiexec.exe
Token: SeRestorePrivilege	460	msiexec.exe
Token: SeTakeOwnershipPrivilege	460	msiexec.exe
Token: SeRestorePrivilege	460	msiexec.exe
Token: SeTakeOwnershipPrivilege	460	msiexec.exe
Token: SeRestorePrivilege	460	msiexec.exe
Token: SeTakeOwnershipPrivilege	460	msiexec.exe
Token: SeRestorePrivilege	460	msiexec.exe
Token: SeTakeOwnershipPrivilege	460	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe

pid process

3660 2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
3660 2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

msiexec.exeMsiExec.exeMsiExec.exeseederexe.exe

description	pid	process	target process
PID 460 wrote to memory of 3972	460	msiexec.exe	MsiExec.exe
PID 460 wrote to memory of 3972	460	msiexec.exe	MsiExec.exe
PID 460 wrote to memory of 3972	460	msiexec.exe	MsiExec.exe
PID 3972 wrote to memory of 3496	3972	MsiExec.exe	lite_installer.exe
PID 3972 wrote to memory of 3496	3972	MsiExec.exe	lite_installer.exe
PID 3972 wrote to memory of 3496	3972	MsiExec.exe	lite_installer.exe
PID 460 wrote to memory of 5068	460	msiexec.exe	MsiExec.exe
PID 460 wrote to memory of 5068	460	msiexec.exe	MsiExec.exe
PID 460 wrote to memory of 5068	460	msiexec.exe	MsiExec.exe
PID 5068 wrote to memory of 3140	5068	MsiExec.exe	seederexe.exe
PID 5068 wrote to memory of 3140	5068	MsiExec.exe	seederexe.exe
PID 5068 wrote to memory of 3140	5068	MsiExec.exe	seederexe.exe
PID 3140 wrote to memory of 5744	3140	seederexe.exe	sender.exe
PID 3140 wrote to memory of 5744	3140	seederexe.exe	sender.exe
PID 3140 wrote to memory of 5744	3140	seederexe.exe	sender.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_3e2338b13253c52be4fdde848537e7a6_magniber.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3660

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:460

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 0BE8DF9B8FF9119294503D77757CA5CB
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3972

C:\Users\Admin\AppData\Local\Temp\53237A7F-5908-48F7-8ABA-A3F5848464B5\lite_installer.exe
"C:\Users\Admin\AppData\Local\Temp\53237A7F-5908-48F7-8ABA-A3F5848464B5\lite_installer.exe" --use-user-default-locale --silent --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3496

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A9B57E38761CF566BA4E487979F41E2A E Global\MSI0000
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5068

C:\Users\Admin\AppData\Local\Temp\553B33B0-EB64-40CF-BC1E-D4B63461D07D\seederexe.exe
"C:\Users\Admin\AppData\Local\Temp\553B33B0-EB64-40CF-BC1E-D4B63461D07D\seederexe.exe" "--yqs=" "--yhp=" "--ilight=" "--locale=us" "--browser=" "--browser_default=" "--yabm=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\1A7DF18E-B97A-441E-9EE0-A66C88474461\sender.exe" "--is_elevated=yes" "--ui_level=5"
3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3140

C:\Users\Admin\AppData\Local\Temp\1A7DF18E-B97A-441E-9EE0-A66C88474461\sender.exe
C:\Users\Admin\AppData\Local\Temp\1A7DF18E-B97A-441E-9EE0-A66C88474461\sender.exe --send "/status.xml?clid=2313368&uuid=54ebe819-7aa0-46c1-8f60-28aa74220774&vnt=Windows 10x64&file-no=8%0A15%0A25%0A37%0A38%0A45%0A57%0A59%0A102%0A106%0A108%0A111%0A129%0A"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5744

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e574538.rbs
Filesize
591B

MD5
a55fb7b2b69c11a9885a638e04f71c63

SHA1
b9dd89913f9f64991026ef57c0b2aab94aa4c90e

SHA256
a12bf9e085ddfc33b794630834f0bbbe90d247873b2605e355fb204e7bfec3a3

SHA512
9d5cc16e1f0974e6933667ead9f56a6bd7b8a3942692aa227e6ddd0bbaea7e5ee7fbf9fa949ec63e2e52d3aeb6842e74b8044a64a76621eeff816c683ae59eb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_A026C9CD7BA14377D055F4A2325D4501
Filesize
1KB

MD5
d51332c4498a42803274c8934d94c9d9

SHA1
c74338351316938b5b74467e7574e7dce8f3772e

SHA256
e241e6464c543009cd33ee42d029e6e3dab9770c37fd313c415736ce8881bb58

SHA512
10aeb818f56a839a25a5bcea15fe2c924e631a25b64978b3995e0d96ad0f20c2eb1543ed17c59285b7267f8ac2b7b692deeada04c683cd2f4bb16db40a379f65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\769F85394FB15C375FF89A7488274D5B_22252D7CC6CD0EA80FCE3FF30A53AFB2
Filesize
1KB

MD5
97c39fea884a0ad69fd4ad52d7670c2b

SHA1
314456ea83fced57372db666a97d736b9ebed3da

SHA256
9dd023df04ad5eccfbdb943e9999300f890c412e03ea0152aaabff82538a1cc6

SHA512
ad7b528633df63f152ad13ad09bec632f0e629e99ec73c981e0cda2f3abdd6e08aa57a2fda8f7be8ddc255a72dfdd5a195dac00066e2939c422deaab203bd9c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_4BB72A60CF9C652B353353202101C0E4
Filesize
1KB

MD5
fd4dccf5320193f2e0d52bb353886574

SHA1
777a4fe874f57fb0c6237f606563ff015c93ba34

SHA256
25de1a1bbfce65ea8fc73754232a5a40ddce35e6b6b380ef1bb0ce1eb1064e0d

SHA512
e0169282b4b60ecde043ee7f48bae7dbd3d315faaf7291a3df59c08c6f1ad105e429a94441907066d7b054c62a5a7a990197a4680e47c5fa45e58f1af205ec91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B0B1E3C3B1330A269DBEE4BA6313E7B4
Filesize
1KB

MD5
2ffbdb98df2a2b022a48adeb94a3af50

SHA1
6c86923b5c5832bb102f041cb7d38db397074f12

SHA256
dd12c5733bc4b682e1da6353c8c27650f53d11a8ada8fd8a2d06f23cecae5ebd

SHA512
a5f29661ac78ea205dd945fcc53e015152277426af4bcce688231ca1a564dc49144b2953409651737733fec72e9042468c780917543c007d7de74ed44058dbfb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDA81A73291E20E6ACF6CACA76D5C942_4EA93225B46C4B45501FF0DDE9E306D0
Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_A026C9CD7BA14377D055F4A2325D4501
Filesize
508B

MD5
5671b2231c2b370fbc4a82a5a29ebf1f

SHA1
f24311dd857ff65716ace45edcf1dc87ad698db2

SHA256
e33810b4af90b010891a1898ff65947a5f3ebc274a042e98f4dd88af6a0b0f7a

SHA512
3cdbb6bebe67b1534ac830b76cc2d9f21cfe0fed967f3388b16858d7ec8e49bfc456ac6a8dafaf633892690a466f94343e88ae592fdeea23c8c5abf0052ab4f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\769F85394FB15C375FF89A7488274D5B_22252D7CC6CD0EA80FCE3FF30A53AFB2
Filesize
522B

MD5
b256abae2b2d337bf4bcb2c3b94cf51a

SHA1
c0af275eb6d64835b0f802d8f25d52b8bedd9c50

SHA256
55bb5e11b1771c01c7908a68f45a51d63303f2c1a9d5c862b63f426cd3e0b39c

SHA512
b3c19b4780c6f13afab796293cf073c22036fe2f0879f61d5ad3ca655add899e949b966bdfc9a2dedda3c8293e25cea81493c1d44cfdda551c9e39971a9438d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_4BB72A60CF9C652B353353202101C0E4
Filesize
502B

MD5
feb03ec31aecbeace75e17c49d6a0653

SHA1
fefb031275bfe552b3cb8d25b95a7518ba13bc98

SHA256
9a3598cc2c20e851a82b2041ba9ffa99f9d747f8f31eb17c9fced40220ee7747

SHA512
d6b7db65cff4d5a090095dd1d8f064a62c94cad18bb1fca9d29776210d1eb9df1e3cba617f6a218e62f642e928351928d6b4ce24e0d61cc7618576727a4bb56b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B0B1E3C3B1330A269DBEE4BA6313E7B4
Filesize
208B

MD5
770104f28a2e0706514d8f942856b1ba

SHA1
6e384f260fb85e6f6093ecc84bbd6a14d109af6e

SHA256
757abb226f855ea1d4e60e08efb21ce1819dd2db35098c1b39d517d4bb1bcfc7

SHA512
a7c5c6d924e47cb7a9e9e6a275a4d0e6df744748bb644813ebbcf0989b1b26b705a0d88ef8b328280938140d4f3b0217c61e308fedcb7f8e1a4ad37ad617f434

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDA81A73291E20E6ACF6CACA76D5C942_4EA93225B46C4B45501FF0DDE9E306D0
Filesize
440B

MD5
b3b0dcc8e6daf7916fb5e51464ce64df

SHA1
c0a963486385c86e43f723089483cb048d09e4fb

SHA256
130b6e42fc70bb82f873b5397528f5ed81348278cad294722f937f14ebca4804

SHA512
3c9d5de5bdf735e1c478412c6350957e53ad37e029eb4c1de4509fdfe1536ecd9a7e981f2840dac3ab57dde369edc11d6ca3c1f175e0cad03bda489e888a6f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A7DF18E-B97A-441E-9EE0-A66C88474461\sender.exe
Filesize
249KB

MD5
4ce9460ed83b599b1176c4161e0e5816

SHA1
ca1bd4f28ec3e6f4b0253764e6339e480d3549bd

SHA256
118d277f46df036ffb1ca69d9da7890c65c3807a6e88248f3ba703b0f51cd308

SHA512
1064da56e85d3b0c34c47e9fa0821b2ceb79e338e602e705b7f801c0a1bfb83246c340fa1351fc222216a12968bcc52540e105f186a3ef6f3e7c32348936daf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\53237A7F-5908-48F7-8ABA-A3F5848464B5\lite_installer.exe
Filesize
390KB

MD5
28b10eff9b78787aa18e424fd9319064

SHA1
0bd2bc3665e8988567607460ea6bfc51d45d4d5c

SHA256
dbbbf54115fb97f777180f67ee341cf16803ed6e85bf9af60ea13d9b99be362d

SHA512
a908a231c9db21767066ab13ec4a8ac451bc978f5d8bccf5032e5ecbcaa996c7e2afff0121036cc184a3c19a4caf542bb15dbe6ad6dae16c422f6ac6bc5a791a

Download Submit
C:\Users\Admin\AppData\Local\Temp\553B33B0-EB64-40CF-BC1E-D4B63461D07D\seederexe.exe
Filesize
6.8MB

MD5
6df2e368846222aef04e596d9ea43aac

SHA1
57b59e1002d9d971fc504df0493d5ac54380027b

SHA256
f4adf79355ff21c11faf8283d06e28013478834a64d9473d27194f4dbcfed359

SHA512
a40636178285fa12b1b6f99802fdfd3b569c674b1864f5c6893ccb6a48c90232539704da8ea478457ead39c1f94c319467b41142c8aa26473a280c4fb329f662

Download Submit
C:\Users\Admin\AppData\Local\Temp\YandexSearch00000.log
Filesize
35KB

MD5
dc281c51c08e6da534356b6bb1a299c8

SHA1
067bff82a9b8997caf3113379d7d3d4bc10e87c1

SHA256
adb9410d3c2e8ebfd52a5dbb94c08190912a234196f0e3d885c3a413c592ea67

SHA512
7632e38b684a992ce72f9ce4abf4d1c55fb7ea58aa91e889d9ddd96942e64e35c8394c8d355585c4dd1d77a24143601f1f84867cc3ebede85fd6d74ebe195452

Download Submit
C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml
Filesize
529B

MD5
06843321f3460c6ce2ea0fd7d71925ed

SHA1
c4cc099fb85313fdf6068c42b1097c94fecd216f

SHA256
c985fd3a625e446bb9ff7ced9ff7096e04ace30f48a39dfbed9b1bbc10a59bd9

SHA512
9b41ac1561341ec9f38f076dd77aa49c1bb7fda9655c196b81f29b625757e9bd6f4a982090f6baf011a7c0e8c319dbbb0940c35ba417a4a32f3ca996d0305270

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3cb9260-5ba7-46f1-b39a-c671fa5974ec\[email protected]
Filesize
1KB

MD5
5a40649cf7f6923e1e00e67a8e5fc6c8

SHA1
fc849b64b31f2b3d955f0cb205db6921eacc1b53

SHA256
6d432ba7096090837f9533a33a686c846ad67aed8ecc43af7ce8af42649cd51a

SHA512
0fc42a2cc61528b14478f4b9ae098ea90e6b05ddbe10f3a6cdd6326d0d8e6185b49d2b8143b76a9f329bdc277cf02b54d98f374edd65df68a1ffc41e1c817786

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3cb9260-5ba7-46f1-b39a-c671fa5974ec\[email protected]
Filesize
688KB

MD5
ab6d42f949df8d7e6a48c07e9b0d86e0

SHA1
1830399574b1973e2272e5dcc368c4c10dbbe06b

SHA256
205ebf52c47b42fa0ad1a734a1d882d96b567e15a32b19bdb907562db8ea09e2

SHA512
6c4f9bb726384c87b6523e08339f7821ad4ec8717b26db902ca51df74eb89b46e4ded1504a131683b07b2bba3e6e911a549a8a83b2aad3971047c0fe315a1ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3cb9260-5ba7-46f1-b39a-c671fa5974ec\[email protected]
Filesize
5KB

MD5
856242624386f56874a3f3e71d7993f4

SHA1
96d3199c5eebb0d48c944050fbc753535ee09801

SHA256
d86ed80d2a9e4e1af843a991a6553a2fefd5433b2144be0cfb63a2f18deb86be

SHA512
76d440fe2ed535677a1d249b289463bfedfc5d2afc0e269e4593bb113393f165856c07117735cf3e5a230b5d04a61c7126df24a466594d8c27b47b2047834a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3cb9260-5ba7-46f1-b39a-c671fa5974ec\[email protected]
Filesize
1.7MB

MD5
e68cea8c6d4b16641f30dd930a952ebb

SHA1
7e8c4b51e6e56f35a2983ab6cb121341aeda565c

SHA256
a7f3f788323a12158d66f341c4711d71fc2244a2b07a68fb8df4baec0ff76f35

SHA512
96351e36a4c5020ed464b96b72bb3063db819981440bde7c6c3a50f7fe470e1d70f0350ec7c4bcd4808fcabe2ddfbdebfc7039ae2248c1455e2245f53ce44ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\omnija-20243328.zip
Filesize
40.8MB

MD5
d3801707c18394a386b9afb3f2a87ab2

SHA1
6ce5aab2a6143f39d60c263075103ecee97bdec0

SHA256
5e5af3dd1713ce5e4493b5d7ee4263a307eeef4baf305a36bb1332e96c267cc7

SHA512
1fd062333fa06708ca55d9339ebded681a9edeb20db25d3b606324195d409374881c4dd54ca72bd5d5f25190e9fac118ff800f381abd5db8079c04178425119f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vendor00000.xml
Filesize
508B

MD5
d0c01de02df63c1eeae30ffc32abb136

SHA1
4d3fb5f6512c2cbee9d2b705a7ac35796268a6fc

SHA256
19c170ee073ee2f8c63f29bea72d1f9751103717d1f40058cc2256c218488716

SHA512
85fe41313fe7f6fe09d32b558b5921fcf5753150f50d5b12c5c4bb8652ab725fa307d2573aba0d0e093627afc586c279ddeafd0ba3b6ae431fed2e968e2770cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi
Filesize
8.5MB

MD5
f3b4d275867a9652026b60133d4fe8ce

SHA1
9219a694c2e9d1690a59d9bde8f0f7378ed455d4

SHA256
94066b62be7c1f76adf319c3c2d28a88c6cadc41c8c65aca32fcfd9feba5a8f5

SHA512
d8e5e405a29eb58fb0b7e2e00c4f4bf2742c19534237e44a3a114ea4fa8740b890fac51e2ee653c1e066d726a0a42baa4c59d3df18269992043ea38be20d80c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dl59x85f.Admin\places.sqlite-2024332810.505792505.backup
Filesize
68KB

MD5
d57cd95de07d3b15eb5cf8baa80471af

SHA1
322c0e13f2022ab255a8d2a50c5835779b6ccc3e

SHA256
651efdc8961efbf6476e4cc4b3965a4da72690ebedda009fd800c6d936a67696

SHA512
2e98256a9e76ae384f88b83075a321f60cb13ee6f7e8cb93f1919103b82ba79a67b5eec8a7d3043fe26b377fae58545e82323813897c0e67adfacaa885d6f68e

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks-2024332810.615161615.backup
Filesize
1KB

MD5
3adec702d4472e3252ca8b58af62247c

SHA1
35d1d2f90b80dca80ad398f411c93fe8aef07435

SHA256
2b167248e8136c4d45c2c46e2bff6fb5e5137dd4dfdccde998599be2df2e9335

SHA512
7562e093d16ee6305c1bb143a3f5d60dafe8b5de74952709abc68a0c353b65416bf78b1fa1a6720331615898848c1464a7758c5dfe78f8098f77fbfa924784c0

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Preferences-2024332810.615161615.backup
Filesize
313B

MD5
af006f1bcc57b11c3478be8babc036a8

SHA1
c3bb4fa8c905565ca6a1f218e39fe7494910891e

SHA256
ed6a32e11cc99728771989b01f5ae813de80c46a59d3dc68c23a4671a343cb8c

SHA512
3d20689b0f39b414349c505be607e6bfc1f33ac401cf62a32f36f7114e4a486552f3e74661e90db29402bb85866944e9f8f31baba9605aa0c6def621511a26af

Download Submit
C:\Users\Admin\AppData\Roaming\Yandex\ui
Filesize
38B

MD5
f5fab6ef42caaef3cbcff4f0be9af5e4

SHA1
a24f49cb2e64fc64c9819eaf959a603726817554

SHA256
b24f8bfbb0de9b99b7126dd0968fc0687cf9093043c973040fc8cb0cadaeb9ed

SHA512
25a172ba0c01248782de5d1fb853d8bafedc13d33af06a60365fc8991b22574c698c7be90c76df331ee93ae6afa83e54c1680a394df0560bb64a01ded3fd7d8e

Download Submit
C:\Windows\Installer\MSI4759.tmp
Filesize
172KB

MD5
694a088ff8fa0e3155881bb6500868bc

SHA1
096626661b9bcb3b3197b92e7e3c4e77ad4b2df4

SHA256
6f3a5bbd29f669712d6c2c7e5174dea6807cb86fda293acbe360bde81d29a633

SHA512
bd3a9cdf9ea591d462be8e00e9bc44c391897c40d598ada19f0377f3a6aea97aba03627d97d6362edbb81763fe3c7570d07bdfd5a004dd9e7af4531bc490bdeb

Download Submit
C:\Windows\Installer\MSI47B8.tmp
Filesize
189KB

MD5
c3a831564e7b54fb7b502b728e232542

SHA1
82a4f969b1f19dc6489e13d357ccad9fef4837ab

SHA256
43097d66f86e3a1103d4cc7c410e46daba8d1a7a991ab6c222d41bd2620c19ca

SHA512
4855ca4429974a0b111d42b86cb8f89188310aaaf9174b4cf462a968163c8b92e38d4a519c78133301b341be5cd02e34b55b55575e84f0d01c2cd11ae74cce05

Download Submit
C:\Windows\Installer\MSI49B4.tmp
Filesize
202KB

MD5
ba84dd4e0c1408828ccc1de09f585eda

SHA1
e8e10065d479f8f591b9885ea8487bc673301298

SHA256
3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

SHA512
7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

Download Submit