8fa5386c7b9c04b1f8d8900278075b028baa8b9fd36cd5fadd19d656090a5bb6

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Size

8.6MB
MD5

21a74026371f0bc84e53df36a988d8b2
SHA1

cb375cae63d8cde6ae3ae89e6f0db2302dde86f6
SHA256

8fa5386c7b9c04b1f8d8900278075b028baa8b9fd36cd5fadd19d656090a5bb6
SHA512

bff1bfa1e3eb0c5794db4e8e58e24907ad6b7ffcf1c8e5928f93f1328927f6dad5b8e970833c2742071f337298f39dc01ffbc5fc76dadce4160f484480f8a8ba
SSDEEP

98304:376wMlkYxXKNgR7YjTMbk+ust6tXHJwWkHmPh7gCNq7N2/wK0pmsCWrqufezvktF:Wwi3K+lYMIstaiOgC8KVWrqufezvq

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exe

flow pid process

23 3796 msiexec.exe
24 3796 msiexec.exe

flow	pid	process
23	3796	msiexec.exe
24	3796	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\V:	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
File opened (read-only)	\??\B:	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
File opened (read-only)	\??\E:	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
File opened (read-only)	\??\G:	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
File opened (read-only)	\??\K:	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
File opened (read-only)	\??\O:	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
File opened (read-only)	\??\T:	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
File opened (read-only)	\??\W:	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
File opened (read-only)	\??\X:	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
File opened (read-only)	\??\P:	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
File opened (read-only)	\??\Q:	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
File opened (read-only)	\??\S:	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
File opened (read-only)	\??\Y:	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
File opened (read-only)	\??\R:	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
File opened (read-only)	\??\U:	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
File opened (read-only)	\??\Z:	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 16 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI5E31.tmp	msiexec.exe
File created	C:\Windows\Installer\e575a07.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5CE5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5D74.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5DE2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5EA1.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5E71.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e575a07.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5F7E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5D44.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5EE0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5F5E.tmp	msiexec.exe

Executes dropped EXE 3 IoCs

Processes:

lite_installer.exeseederexe.exesender.exe

pid process

3848 lite_installer.exe
4752 seederexe.exe
4452 sender.exe
Loads dropped DLL 9 IoCs

Processes:

MsiExec.exeMsiExec.exe

pid process

2336 MsiExec.exe
2336 MsiExec.exe
2336 MsiExec.exe
2336 MsiExec.exe
2336 MsiExec.exe
2336 MsiExec.exe
2336 MsiExec.exe
2336 MsiExec.exe
952 MsiExec.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3848	lite_installer.exe
4752	seederexe.exe
4452	sender.exe

pid	process
2336	MsiExec.exe
2336	MsiExec.exe
2336	MsiExec.exe
2336	MsiExec.exe
2336	MsiExec.exe
2336	MsiExec.exe
2336	MsiExec.exe
2336	MsiExec.exe
952	MsiExec.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

seederexe.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Main	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\SearchScopes	seederexe.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exemsiexec.exelite_installer.exeseederexe.exesender.exe

pid	process
2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
3796	msiexec.exe
3796	msiexec.exe
3848	lite_installer.exe
3848	lite_installer.exe
4752	seederexe.exe
4752	seederexe.exe
4452	sender.exe
4452	sender.exe
4452	sender.exe
4452	sender.exe
3848	lite_installer.exe
3848	lite_installer.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

Processes:

2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Token: SeIncreaseQuotaPrivilege	2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Token: SeSecurityPrivilege	3796	msiexec.exe
Token: SeCreateTokenPrivilege	2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Token: SeAssignPrimaryTokenPrivilege	2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Token: SeLockMemoryPrivilege	2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Token: SeIncreaseQuotaPrivilege	2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Token: SeMachineAccountPrivilege	2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Token: SeTcbPrivilege	2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Token: SeSecurityPrivilege	2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Token: SeTakeOwnershipPrivilege	2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Token: SeLoadDriverPrivilege	2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Token: SeSystemProfilePrivilege	2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Token: SeSystemtimePrivilege	2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Token: SeProfSingleProcessPrivilege	2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Token: SeIncBasePriorityPrivilege	2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Token: SeCreatePagefilePrivilege	2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Token: SeCreatePermanentPrivilege	2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Token: SeBackupPrivilege	2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Token: SeRestorePrivilege	2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Token: SeShutdownPrivilege	2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Token: SeDebugPrivilege	2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Token: SeAuditPrivilege	2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Token: SeSystemEnvironmentPrivilege	2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Token: SeChangeNotifyPrivilege	2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Token: SeRemoteShutdownPrivilege	2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Token: SeUndockPrivilege	2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Token: SeSyncAgentPrivilege	2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Token: SeEnableDelegationPrivilege	2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Token: SeManageVolumePrivilege	2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Token: SeImpersonatePrivilege	2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Token: SeCreateGlobalPrivilege	2460	2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
Token: SeRestorePrivilege	3796	msiexec.exe
Token: SeTakeOwnershipPrivilege	3796	msiexec.exe
Token: SeRestorePrivilege	3796	msiexec.exe
Token: SeTakeOwnershipPrivilege	3796	msiexec.exe
Token: SeRestorePrivilege	3796	msiexec.exe
Token: SeTakeOwnershipPrivilege	3796	msiexec.exe
Token: SeRestorePrivilege	3796	msiexec.exe
Token: SeTakeOwnershipPrivilege	3796	msiexec.exe
Token: SeRestorePrivilege	3796	msiexec.exe
Token: SeTakeOwnershipPrivilege	3796	msiexec.exe
Token: SeRestorePrivilege	3796	msiexec.exe
Token: SeTakeOwnershipPrivilege	3796	msiexec.exe
Token: SeRestorePrivilege	3796	msiexec.exe
Token: SeTakeOwnershipPrivilege	3796	msiexec.exe
Token: SeRestorePrivilege	3796	msiexec.exe
Token: SeTakeOwnershipPrivilege	3796	msiexec.exe
Token: SeRestorePrivilege	3796	msiexec.exe
Token: SeTakeOwnershipPrivilege	3796	msiexec.exe
Token: SeRestorePrivilege	3796	msiexec.exe
Token: SeTakeOwnershipPrivilege	3796	msiexec.exe
Token: SeRestorePrivilege	3796	msiexec.exe
Token: SeTakeOwnershipPrivilege	3796	msiexec.exe
Token: SeRestorePrivilege	3796	msiexec.exe
Token: SeTakeOwnershipPrivilege	3796	msiexec.exe
Token: SeRestorePrivilege	3796	msiexec.exe
Token: SeTakeOwnershipPrivilege	3796	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe

pid process

2460 2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
2460 2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

msiexec.exeMsiExec.exeMsiExec.exeseederexe.exe

description	pid	process	target process
PID 3796 wrote to memory of 2336	3796	msiexec.exe	MsiExec.exe
PID 3796 wrote to memory of 2336	3796	msiexec.exe	MsiExec.exe
PID 3796 wrote to memory of 2336	3796	msiexec.exe	MsiExec.exe
PID 2336 wrote to memory of 3848	2336	MsiExec.exe	lite_installer.exe
PID 2336 wrote to memory of 3848	2336	MsiExec.exe	lite_installer.exe
PID 2336 wrote to memory of 3848	2336	MsiExec.exe	lite_installer.exe
PID 3796 wrote to memory of 952	3796	msiexec.exe	MsiExec.exe
PID 3796 wrote to memory of 952	3796	msiexec.exe	MsiExec.exe
PID 3796 wrote to memory of 952	3796	msiexec.exe	MsiExec.exe
PID 952 wrote to memory of 4752	952	MsiExec.exe	seederexe.exe
PID 952 wrote to memory of 4752	952	MsiExec.exe	seederexe.exe
PID 952 wrote to memory of 4752	952	MsiExec.exe	seederexe.exe
PID 4752 wrote to memory of 4452	4752	seederexe.exe	sender.exe
PID 4752 wrote to memory of 4452	4752	seederexe.exe	sender.exe
PID 4752 wrote to memory of 4452	4752	seederexe.exe	sender.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_21a74026371f0bc84e53df36a988d8b2_magniber.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2460

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding BB1390B6B5166AB61E4A60F7361B64ED
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336

C:\Users\Admin\AppData\Local\Temp\7914D782-8DC4-493C-A47D-639D9CCEB968\lite_installer.exe
"C:\Users\Admin\AppData\Local\Temp\7914D782-8DC4-493C-A47D-639D9CCEB968\lite_installer.exe" --use-user-default-locale --silent --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3848

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 4180F2BD6007E5247B9E71AAC1D28F78 E Global\MSI0000
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:952

C:\Users\Admin\AppData\Local\Temp\668FAF9A-6B38-4D78-8AA9-6C8BA1726EED\seederexe.exe
"C:\Users\Admin\AppData\Local\Temp\668FAF9A-6B38-4D78-8AA9-6C8BA1726EED\seederexe.exe" "--yqs=" "--yhp=" "--ilight=" "--locale=us" "--browser=" "--browser_default=" "--yabm=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\A8325DB9-538E-46DA-8B65-E942276669B1\sender.exe" "--is_elevated=yes" "--ui_level=5"
3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4752

C:\Users\Admin\AppData\Local\Temp\A8325DB9-538E-46DA-8B65-E942276669B1\sender.exe
C:\Users\Admin\AppData\Local\Temp\A8325DB9-538E-46DA-8B65-E942276669B1\sender.exe --send "/status.xml?clid=2256539&uuid=227d7c6f-eb9d-4b0e-9591-a7e94b787b74&vnt=Windows 10x64&file-no=8%0A25%0A37%0A38%0A45%0A57%0A59%0A102%0A106%0A108%0A111%0A129%0A"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4452

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e575a08.rbs
Filesize
591B

MD5
bf2d495dc97837bc2c7d4a1f4323a327

SHA1
4f4f74d8282df677daf581c8b6e3da136979483e

SHA256
4e6d3dc272a6469f8620c8bb0615751c1c440ab5f84e7202b8764a746a5c5462

SHA512
fa45242d5b45e3a19d0857f840c7c6b0489dbb6c8418a457a0c8a5f750c66fbcc15134edc13413058d62fc2a4969d78b895f39ba316b0823197ada1eee504043

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_A026C9CD7BA14377D055F4A2325D4501
Filesize
1KB

MD5
d51332c4498a42803274c8934d94c9d9

SHA1
c74338351316938b5b74467e7574e7dce8f3772e

SHA256
e241e6464c543009cd33ee42d029e6e3dab9770c37fd313c415736ce8881bb58

SHA512
10aeb818f56a839a25a5bcea15fe2c924e631a25b64978b3995e0d96ad0f20c2eb1543ed17c59285b7267f8ac2b7b692deeada04c683cd2f4bb16db40a379f65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\769F85394FB15C375FF89A7488274D5B_22252D7CC6CD0EA80FCE3FF30A53AFB2
Filesize
1KB

MD5
97c39fea884a0ad69fd4ad52d7670c2b

SHA1
314456ea83fced57372db666a97d736b9ebed3da

SHA256
9dd023df04ad5eccfbdb943e9999300f890c412e03ea0152aaabff82538a1cc6

SHA512
ad7b528633df63f152ad13ad09bec632f0e629e99ec73c981e0cda2f3abdd6e08aa57a2fda8f7be8ddc255a72dfdd5a195dac00066e2939c422deaab203bd9c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_4BB72A60CF9C652B353353202101C0E4
Filesize
1KB

MD5
3219ded8e6bebcf9766fa895a512e2ec

SHA1
9b46da19a2f1f10ff073af24702610d365fd4d51

SHA256
40c8cb562259f2a9e18f1fab2203b317e392ae4489b126c841640736038bab02

SHA512
1dd91fc599a997b7ba7ab1f4ce3078358c2ea3b0495b2af4e97cde761bdd393beb62c891f736e83f036715033c7d9b2eb61a102aa77edc47c9e0ec83069089c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B0B1E3C3B1330A269DBEE4BA6313E7B4
Filesize
1KB

MD5
2ffbdb98df2a2b022a48adeb94a3af50

SHA1
6c86923b5c5832bb102f041cb7d38db397074f12

SHA256
dd12c5733bc4b682e1da6353c8c27650f53d11a8ada8fd8a2d06f23cecae5ebd

SHA512
a5f29661ac78ea205dd945fcc53e015152277426af4bcce688231ca1a564dc49144b2953409651737733fec72e9042468c780917543c007d7de74ed44058dbfb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDA81A73291E20E6ACF6CACA76D5C942_4EA93225B46C4B45501FF0DDE9E306D0
Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_A026C9CD7BA14377D055F4A2325D4501
Filesize
508B

MD5
84b6d9494528d5d8d16b2c0ce99c9db6

SHA1
da3115bac5250cf4cb63c9b64255f096d53a1f21

SHA256
ce8da1e884ae7aa5aa19046fbb73d0296d1e282f3904ad88167af83ce82a0877

SHA512
87d818e43ac7c0c3922a184571c239d176145312b2b3b6fef1819fb6b4a8316249f1d92425fb1666a4d1537ca451016c2e165caea9059e839baaa8a09f54bf95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\769F85394FB15C375FF89A7488274D5B_22252D7CC6CD0EA80FCE3FF30A53AFB2
Filesize
522B

MD5
c3718a0b7201ac372057b4535ddc5374

SHA1
90d9cd76591b6b6237c2ec6595e38dd5c1a8a014

SHA256
269ac6d9df691894615c888c5b5bff05ed51cc72d5c8845c6d857b2e31307bb7

SHA512
ecf0444dd9f1407dc92fbafad89beac3588e43412cc96db340ed684a0d14e44d4956a35ecee6b30e8a0a4889fee35e4b10c716ad7b5c4cbf3ca385089a0f8d5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_4BB72A60CF9C652B353353202101C0E4
Filesize
502B

MD5
2fa3aac7659c1a9999f984044895a4f1

SHA1
40abb338979aad593899988d05ddc4fcb61a77e1

SHA256
3846402611e413c2258042db10bd5826ba5ed5ee84c234c49028b3c4b4ed102a

SHA512
16a30a05d23eb3fe3cdef7d59f7f81471a09e8aceb1214796501c35316baaf15963f92f731751b7d28ba8f9aefc58511b83fe76dad553d86392d6f1df49400e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B0B1E3C3B1330A269DBEE4BA6313E7B4
Filesize
208B

MD5
7b8a18aace0315d981398ff047cbbabd

SHA1
79b16477525a7252ae046eebaaab916db48a776b

SHA256
86a98754a9167b8c32e273e1da60a49bd76775d79142fcc767ddb336b26e8f44

SHA512
2e87a72c172bbb5f76ae1385457b18ac5d07a3f900dab0515f8f2d392dcfd6d9fa4c16d7ccaac303f7e451b58d81100fc2945c3ba04b40c2c89dcdca5e272f85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDA81A73291E20E6ACF6CACA76D5C942_4EA93225B46C4B45501FF0DDE9E306D0
Filesize
440B

MD5
0ac385912bab9e82984fa387f2887b40

SHA1
b694ea4b6c2dfd9ff85e9a2ddbc78a7fca8179cc

SHA256
59717487308d7ced15af89a29ba2c62ed8eefdf62f351e45c0ba3d25f50bb64d

SHA512
568af695288c46cf90e6a7e883573dd9674fbc6a9323ae9354a98a51df0cc48ebde4d122685b5bfc9bad02c75dd9008f3455b5834ece80df7958c33a34d17375

Download Submit
C:\Users\Admin\AppData\Local\Temp\668FAF9A-6B38-4D78-8AA9-6C8BA1726EED\seederexe.exe
Filesize
6.7MB

MD5
f9df2f062bdb4c2be3a3129230103030

SHA1
9cc3b360f49962f4fd4dff057315fa5531210707

SHA256
4867db55dfebe3c66f907b0214c6a746c3ed774338c85999d756d2bcca00b76e

SHA512
1398c9c1b0b1be117fc082068d67aacbf0e9899c6dc424ab883f58d5deeb4cac75b42d1ba64c4a3a7f6553dd05dbb54e67b84215f3bb9b0a0e2fdaf76787be73

Download Submit
C:\Users\Admin\AppData\Local\Temp\7914D782-8DC4-493C-A47D-639D9CCEB968\lite_installer.exe
Filesize
390KB

MD5
d76e1d741effdfbed89984c77b180fa7

SHA1
966734fcf45a54485e821a7f3af537001d0caa6a

SHA256
0e3bde3de1a5decc4ce438bc945c532ee0d3674aeae2f2a259f685d58d53fd8f

SHA512
8dc5f11f716ac2066e542cf4f6faa2236a360386861e4c3e4a216ee9dba62bc099700e2241f75ba9db61fd56081fc1c8521f31cba4ff953241cc19560ae6a4e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8325DB9-538E-46DA-8B65-E942276669B1\sender.exe
Filesize
249KB

MD5
6e7542de2100ae4b5070ddf52d6e94d4

SHA1
564d7867f7e10efc64af9e6d755ff6bca0b08891

SHA256
ed9b52c3ef991944a62c8c47555abe6b459eb51096da4312a09ac09e8b534b31

SHA512
67fbc9507c26ea37666e975c51a41c0ab1c68df2118034680ea8f8604e41383a4f3a7a57015e87bb3544ed1d462161bc53b7aecdd2436f88fcc0f1399f33c2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\YandexSearch00000.log
Filesize
35KB

MD5
0fc27e1307b340e84790a236dddbddbf

SHA1
1a012b10dfb6aed38bd17d4ded175bb07e12b89a

SHA256
3490fa5c4045f9fbc2c12e8a3fd3c72b91bc17d12b1eb101436ce7df82f268f9

SHA512
ed750f1264bfe78652adb7bfcebf130f3be89936787677a63a83bd10735155c060f23faf0f5d7cff511c4d836a3acbffb92eff01bf5d5965607ae0109d81a55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml
Filesize
549B

MD5
0ed77a9d5bc8e00f9122f4533718f9e1

SHA1
a598cba0ba140a12cbd183e85c3dbe4f9f2455f9

SHA256
40753fc43ae49054d2cc4278e15df24807a7415391e0b2840e0c5db9fec89c6a

SHA512
b29249f4734932ee325f2ada42d91e9a4107354652dc95e27bf70fd99bebc27b40fa443aab407c2f308edcf28a82834d086c5284926ebc547b11b7d7d4d186d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vendor00000.xml
Filesize
586B

MD5
4adc72c0269c83ad0080d4c3a95c39b8

SHA1
0f912a9e759af29b4c317d23b36992f0e1f597d3

SHA256
944de897098927adc1a10e492549eadd9fb43cbf1aafae1e45bd9014beef2002

SHA512
46db832956e344023fbabbd6bef2e44c480644073b18701d68834527043397aa6c52c338e83666fa5e434af3409fc0dd7d024967193ad481c7f991e3ec7cfcd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi
Filesize
8.2MB

MD5
a659b4ea9c5d78e7f64d6eb78e8f83d2

SHA1
1259d5e40609a228eef28a560b7495eaee52128f

SHA256
9f38903f166329f1a1dc587db3ada4988e73afd7b0909877560e49429b1344a3

SHA512
092ad5daf77da01800662cae9325612ad9d7aaf605a6ee256b07cddffef0a73f739f5aacc2ce3e8193e7f61042fdb6700f8a37a397e9da000476fe8285ca22b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nahd6ha2.default\places.sqlite
Filesize
68KB

MD5
d57cd95de07d3b15eb5cf8baa80471af

SHA1
322c0e13f2022ab255a8d2a50c5835779b6ccc3e

SHA256
651efdc8961efbf6476e4cc4b3965a4da72690ebedda009fd800c6d936a67696

SHA512
2e98256a9e76ae384f88b83075a321f60cb13ee6f7e8cb93f1919103b82ba79a67b5eec8a7d3043fe26b377fae58545e82323813897c0e67adfacaa885d6f68e

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks-2024492829.712165712.backup
Filesize
1KB

MD5
3adec702d4472e3252ca8b58af62247c

SHA1
35d1d2f90b80dca80ad398f411c93fe8aef07435

SHA256
2b167248e8136c4d45c2c46e2bff6fb5e5137dd4dfdccde998599be2df2e9335

SHA512
7562e093d16ee6305c1bb143a3f5d60dafe8b5de74952709abc68a0c353b65416bf78b1fa1a6720331615898848c1464a7758c5dfe78f8098f77fbfa924784c0

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Preferences-2024492829.712165712.backup
Filesize
313B

MD5
af006f1bcc57b11c3478be8babc036a8

SHA1
c3bb4fa8c905565ca6a1f218e39fe7494910891e

SHA256
ed6a32e11cc99728771989b01f5ae813de80c46a59d3dc68c23a4671a343cb8c

SHA512
3d20689b0f39b414349c505be607e6bfc1f33ac401cf62a32f36f7114e4a486552f3e74661e90db29402bb85866944e9f8f31baba9605aa0c6def621511a26af

Download Submit
C:\Users\Admin\AppData\Roaming\Yandex\ui
Filesize
38B

MD5
38bbbb1b3fb894b63fcf88d45f5a7ec2

SHA1
d90af930a1e86fe942b20140560010720ecffbd4

SHA256
035942fa889c7fc468cf9670409934a8d2b193bf382d25e042b060466152c3e0

SHA512
4ba7c3d7ef2cd49482167b35239099a0a8b268be77fe350d4964b8b640dd11753e6a12e000caf494b8b66bc173e01c728ffaf3c5ed9fbefc7d3ac9cc83bad7ef

Download Submit
C:\Windows\Installer\MSI5CE5.tmp
Filesize
172KB

MD5
17d3de1fd7f7c6c3a6520d0fadea3e0e

SHA1
92587dfb70fcfc8db5aba782b414043ba24a5918

SHA256
fb28a17904096b3ee385d2fe1f033298519c0ebf69ced454b45fdad5247589c9

SHA512
1be8de8180e8a86735d8b3d97c808b85a6be545d9946b117b39c6e1c37124ac4ee6acf314d1982249b531fd24097d6a30a0b5228f0b30ccd66a5fdb4ed3e4f5a

Download Submit
C:\Windows\Installer\MSI5D44.tmp
Filesize
189KB

MD5
84be3b020067fb25e77e72710291a70a

SHA1
792feeafa52d93e5ec6538794cd97df49666b7ea

SHA256
8591f02e50663689043d6dec34ade65cb24732914b73de5faa43e74ed5b6450c

SHA512
1eb0fe8f5501e623efcd033665132ee3859968aede5f496634ac107008eaa3964941d019a207c63e21c8b76f45bad718ca70c10ab81f8dccdf0fb89acfb9a0bc

Download Submit
C:\Windows\Installer\MSI5F7E.tmp
Filesize
168KB

MD5
a0962dd193b82c1946dc67e140ddf895

SHA1
7f36c38d80b7c32e750e22907ac7e1f0df76e966

SHA256
b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9

SHA512
118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751

Download Submit