3c35642eb268fa9f47f99a150c0dbb43bec1e262c4078e768cf51e6b408a069b

Analysis

max time kernel
137s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Size

8.6MB
MD5

4e33ce1f6a2f81ab2962781449e6eecd
SHA1

9651b9586718f4db20969b7abea938f3f08a1b4e
SHA256

3c35642eb268fa9f47f99a150c0dbb43bec1e262c4078e768cf51e6b408a069b
SHA512

90901b141c9a7ebb0fc1e755e9de3296ea414873c0b4a68c20883d70a7dd17dd2ac0c22a45f1f105220532ab26d525159c3427a84958243298182768a77883e2
SSDEEP

98304:U7cMZuyxXKNgR7YjTMbk+ust6tXHJwWkHmPh7gCNq7N2/wK0pmsCWrqufezvk/sZ:ZgK+lYMIstaiOgC8KVWrqufezvl

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Blocklisted process makes network request 2 IoCs

flow	pid	Process
13	5024	msiexec.exe
14	5024	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
File opened (read-only)	\??\J:	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
File opened (read-only)	\??\K:	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
File opened (read-only)	\??\M:	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
File opened (read-only)	\??\N:	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
File opened (read-only)	\??\W:	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
File opened (read-only)	\??\X:	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
File opened (read-only)	\??\S:	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
File opened (read-only)	\??\H:	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
File opened (read-only)	\??\R:	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
File opened (read-only)	\??\V:	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
File opened (read-only)	\??\Z:	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
File opened (read-only)	\??\P:	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
File opened (read-only)	\??\T:	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
File opened (read-only)	\??\Q:	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
File opened (read-only)	\??\U:	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 16 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e574e4f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI524C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI513E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI517D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI51FD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI52EC.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI50CF.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI51DD.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}	msiexec.exe
File opened for modification	C:\Windows\Installer\e574e4f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI51BD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI528C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI52DB.tmp	msiexec.exe

Executes dropped EXE 3 IoCs

pid	Process
3400	lite_installer.exe
3600	seederexe.exe
3052	sender.exe

Loads dropped DLL 9 IoCs

pid	Process
1616	MsiExec.exe
1616	MsiExec.exe
1616	MsiExec.exe
1616	MsiExec.exe
1616	MsiExec.exe
1616	MsiExec.exe
1616	MsiExec.exe
1616	MsiExec.exe
3008	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\SearchScopes	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main	seederexe.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
5024	msiexec.exe
5024	msiexec.exe
3400	lite_installer.exe
3400	lite_installer.exe
3600	seederexe.exe
3600	seederexe.exe
3052	sender.exe
3052	sender.exe
3052	sender.exe
3052	sender.exe
3400	lite_installer.exe
3400	lite_installer.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Token: SeIncreaseQuotaPrivilege	3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Token: SeSecurityPrivilege	5024	msiexec.exe
Token: SeCreateTokenPrivilege	3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Token: SeAssignPrimaryTokenPrivilege	3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Token: SeLockMemoryPrivilege	3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Token: SeIncreaseQuotaPrivilege	3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Token: SeMachineAccountPrivilege	3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Token: SeTcbPrivilege	3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Token: SeSecurityPrivilege	3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Token: SeTakeOwnershipPrivilege	3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Token: SeLoadDriverPrivilege	3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Token: SeSystemProfilePrivilege	3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Token: SeSystemtimePrivilege	3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Token: SeProfSingleProcessPrivilege	3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Token: SeIncBasePriorityPrivilege	3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Token: SeCreatePagefilePrivilege	3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Token: SeCreatePermanentPrivilege	3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Token: SeBackupPrivilege	3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Token: SeRestorePrivilege	3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Token: SeShutdownPrivilege	3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Token: SeDebugPrivilege	3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Token: SeAuditPrivilege	3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Token: SeSystemEnvironmentPrivilege	3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Token: SeChangeNotifyPrivilege	3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Token: SeRemoteShutdownPrivilege	3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Token: SeUndockPrivilege	3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Token: SeSyncAgentPrivilege	3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Token: SeEnableDelegationPrivilege	3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Token: SeManageVolumePrivilege	3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Token: SeImpersonatePrivilege	3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Token: SeCreateGlobalPrivilege	3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe
Token: SeRestorePrivilege	5024	msiexec.exe
Token: SeTakeOwnershipPrivilege	5024	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
3592	2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 1616	5024	msiexec.exe	89
PID 5024 wrote to memory of 1616	5024	msiexec.exe	89
PID 5024 wrote to memory of 1616	5024	msiexec.exe	89
PID 1616 wrote to memory of 3400	1616	MsiExec.exe	90
PID 1616 wrote to memory of 3400	1616	MsiExec.exe	90
PID 1616 wrote to memory of 3400	1616	MsiExec.exe	90
PID 5024 wrote to memory of 3008	5024	msiexec.exe	92
PID 5024 wrote to memory of 3008	5024	msiexec.exe	92
PID 5024 wrote to memory of 3008	5024	msiexec.exe	92
PID 3008 wrote to memory of 3600	3008	MsiExec.exe	93
PID 3008 wrote to memory of 3600	3008	MsiExec.exe	93
PID 3008 wrote to memory of 3600	3008	MsiExec.exe	93
PID 3600 wrote to memory of 3052	3600	seederexe.exe	94
PID 3600 wrote to memory of 3052	3600	seederexe.exe	94
PID 3600 wrote to memory of 3052	3600	seederexe.exe	94

C:\Users\Admin\AppData\Local\Temp\2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-05_4e33ce1f6a2f81ab2962781449e6eecd_magniber.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3592

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C2EAD09EA198BD62CB1E7689CE1F4CDD
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Users\Admin\AppData\Local\Temp\A9400EE0-8053-4DD5-B357-B5D5674A23E1\lite_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\A9400EE0-8053-4DD5-B357-B5D5674A23E1\lite_installer.exe" --use-user-default-locale --silent --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3400
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5E879773528D4216E41CC5CABDF0C7A0 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Users\Admin\AppData\Local\Temp\1EA0484F-D4AF-4EA4-BD8E-8F73F182A47F\seederexe.exe
    "C:\Users\Admin\AppData\Local\Temp\1EA0484F-D4AF-4EA4-BD8E-8F73F182A47F\seederexe.exe" "--yqs=" "--yhp=" "--ilight=" "--locale=us" "--browser=" "--browser_default=" "--yabm=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\6D096A5F-F7AB-436A-8397-67DD291F2954\sender.exe" "--is_elevated=yes" "--ui_level=5"
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3600
  - - C:\Users\Admin\AppData\Local\Temp\6D096A5F-F7AB-436A-8397-67DD291F2954\sender.exe
      C:\Users\Admin\AppData\Local\Temp\6D096A5F-F7AB-436A-8397-67DD291F2954\sender.exe --send "/status.xml?clid=2257102&uuid=2f7c9075-0276-4074-8bc4-12dee9ae1dee&vnt=Windows 10x64&file-no=8%0A25%0A37%0A38%0A45%0A57%0A59%0A102%0A106%0A108%0A111%0A129%0A"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e574e50.rbs

Filesize
591B

MD5
b8ba9c0bba228f3ad96f61734cfba446

SHA1
12a29828d31833f59ff731748f346ac993998d65

SHA256
f00cc66083c0e1d6ef7c93bb85c6a8eb168bdd94de3d9ef4167236c96a4a4221

SHA512
19480f606598163191d9085a36a1f6d9d29385599c6e99a7aa870bc1264fb45be9f20cae3935c1b67544daa6ec5606b2bdedff4b274b0178511ddf04f52eeea6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_A026C9CD7BA14377D055F4A2325D4501

Filesize
1KB

MD5
11328a348d752e784815f061ce51dab5

SHA1
9e8d50eb943ae29cfc518c34f9278e67337454f6

SHA256
da16b92efcb80b2c86ac8c6a4e94e56a55c59daafb709c103c10a16ee54c1ea8

SHA512
d8aa9a8a92f11bd527430d71a7228a8209fb7d75a8ce9beae81a01d4a5f65c14a7b7d5014cd67595f12123a0c9e7746d35ab88611049d055351e291dcd511a1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\769F85394FB15C375FF89A7488274D5B_22252D7CC6CD0EA80FCE3FF30A53AFB2

Filesize
1KB

MD5
ea98a6ce25d3a8c6090d85eab3cf5b81

SHA1
e60cc7c794c0a236edfe8217bc43a5458d61261b

SHA256
268fc790c0a08e5dbba94bd912fa220ebd027ace41956cd71b83d73028b84023

SHA512
30a9838304bf4a494eca5296dd28b501d2c448f5f031e1cf703e7f338396655f713ec2584bc5dbd14104232e999928f77f89fad1c8c423df02ffaef806de05f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_4BB72A60CF9C652B353353202101C0E4

Filesize
1KB

MD5
620a1c6b22223c244b0f865f69523c95

SHA1
d200ab4f3c4e0df8d102ff23a3d0b8dcb34e79cf

SHA256
0edeef353604aaf6af04a8fba9931fd0772a9963d142c28b0a5ddd50ec338060

SHA512
e805ce01052ca1a672e8ff3b9c50c493bc26bfb1efdecbb2eed27bd99a89db9806adaf08f74db98a0efdd6c3d4cab77f27d78cf26789fc306e9314f97f7adfbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B0B1E3C3B1330A269DBEE4BA6313E7B4

Filesize
1KB

MD5
2ffbdb98df2a2b022a48adeb94a3af50

SHA1
6c86923b5c5832bb102f041cb7d38db397074f12

SHA256
dd12c5733bc4b682e1da6353c8c27650f53d11a8ada8fd8a2d06f23cecae5ebd

SHA512
a5f29661ac78ea205dd945fcc53e015152277426af4bcce688231ca1a564dc49144b2953409651737733fec72e9042468c780917543c007d7de74ed44058dbfb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDA81A73291E20E6ACF6CACA76D5C942_4EA93225B46C4B45501FF0DDE9E306D0

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_A026C9CD7BA14377D055F4A2325D4501

Filesize
508B

MD5
2348c7f2d44b8921bcdda038fb28b67d

SHA1
d7780ebb7f68b218d04903dfb585567f3233c659

SHA256
271c1bcff53561ab4c99d5a49d6429a58825b92cb48660161116a6a44f730f7b

SHA512
524e2eb567fddfba01ad0c74f9a86e4ea05c384bedc4f867c0308f52615b1c3a205cf26577295104fc4b30d02af2f3c5d8e96d4e3798dddbb13e99f71da6c959

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\769F85394FB15C375FF89A7488274D5B_22252D7CC6CD0EA80FCE3FF30A53AFB2

Filesize
522B

MD5
e5857c15e2fe1243100d0f23b66c99f6

SHA1
bca4bf50c07adf783f2c11d05c1c15db87c215b1

SHA256
39f196de4b01464e0691917233a84d6aa1e5fd631b6776776c2d54cf82e814e9

SHA512
7f12fb53a1305b7b0bada82c24fc988723146ff831cc77231159d78ba97b0ba6a811ecaccc1ea0dccbc998ecb09dfccffc19a5e3cccabdd39d2f461aa188705f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_4BB72A60CF9C652B353353202101C0E4

Filesize
502B

MD5
44465dd2cbfd6e05b14220a8d56e1a30

SHA1
a56bde685c10be184b7dc08758cd1ed030e3a8ed

SHA256
0354e9fd47e447495db10c6ce3c7f68ca61b014ad379206fb350b38de53f3396

SHA512
f2545fa17ed063cb05e4d178e582da1c51a1deeb7acc044d41e040fdc2e354c2151c75c3f497c9ff9a39637c637ae2b45d1b48f2a28992f813dd566b5c22299e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B0B1E3C3B1330A269DBEE4BA6313E7B4

Filesize
208B

MD5
4bb267d49ba1e8007a51f89f9445c93e

SHA1
0286802fca731e6372d26a52d2404475392bdea9

SHA256
a50ac5f61124aa82f3cae04f764d5a22a8be23c8335982a14e7be528b01ba369

SHA512
4a5c4e3bd5af8dd26cfefc4191758011cba44506d2f3ac04f476cef958fa238dc0f34c8a64e504fb909478cfeef15aa59f8a0650034743ae87cfcb81007e417d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDA81A73291E20E6ACF6CACA76D5C942_4EA93225B46C4B45501FF0DDE9E306D0

Filesize
440B

MD5
7531cdf5f66c82cf190ccf8303908fd0

SHA1
f08951dc33052ecc2af9154f570e21fcca899773

SHA256
6cba93e8b3e0e7a83d776b322cc5a136874b96cd87914db52f72f626189c981b

SHA512
a47adabc33667672d52864ef214766a0a857eebca958e4077757e9078b1b0d28219b18e36d2e7355c7439d536bd973ee31e6fbb904fb025ca445bfa9041100fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1EA0484F-D4AF-4EA4-BD8E-8F73F182A47F\seederexe.exe

Filesize
6.7MB

MD5
f9df2f062bdb4c2be3a3129230103030

SHA1
9cc3b360f49962f4fd4dff057315fa5531210707

SHA256
4867db55dfebe3c66f907b0214c6a746c3ed774338c85999d756d2bcca00b76e

SHA512
1398c9c1b0b1be117fc082068d67aacbf0e9899c6dc424ab883f58d5deeb4cac75b42d1ba64c4a3a7f6553dd05dbb54e67b84215f3bb9b0a0e2fdaf76787be73

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D096A5F-F7AB-436A-8397-67DD291F2954\sender.exe

Filesize
249KB

MD5
6515c9b126f511ef84fe5e4b55b98c6d

SHA1
4b7a495a0528502ae1b46809337eed49b110738d

SHA256
ccd3a9708c6f066d5335de925963c1893b7e56207697b66008359beb9036b872

SHA512
bd4bce744c0c0a07e731dd1463f99b36f86d3497d82f17c00d6b505b8eb2396a4538cc8c7a1f585f587778e6754985ed1999d73b137497bc63693df127ca9555

Download Submit
C:\Users\Admin\AppData\Local\Temp\A9400EE0-8053-4DD5-B357-B5D5674A23E1\lite_installer.exe

Filesize
390KB

MD5
5235094a431ae6aea5860bb0909ea417

SHA1
8a904377319c6a76cae11af17bb0603663f318dd

SHA256
38d798db68ff089965c56ecf30783c37ed3b88ba5cdd96cf3bf851be37699358

SHA512
79eb9c5e82b6e8bb1013c1895a084c7058d46aa2b970222f7deb94d8f7d770019a488b99ca872dde12edd14b6ed9e67ddb2930b5051a3d7f98e8c9172c2f0941

Download Submit
C:\Users\Admin\AppData\Local\Temp\YandexSearch00000.log

Filesize
35KB

MD5
e6c671adf1a178360a360e1967b3dc5e

SHA1
fd677547c45802d61283f7340ef8848f37b3829d

SHA256
752d9ac43e220dcf895c9b61729fe27eef9a2078fd0b10a8bd6e3a7fb840c213

SHA512
6eef123f90a287842346f20206bb5f0ede0ca30144d4827695bace7860d309abb46507eec1a3a338c6f4f35795192b65596b3d8038ac112d6ccc23a26b9886f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml

Filesize
560B

MD5
d0c2024805704e7b692264fca3f6b89f

SHA1
fadf94566d1469c8f3d0983afbbd2888feb8235b

SHA256
20f99cb587c77c7e6e5f9874d8fdc48ed32a5a76fda5b73d00908cd8416348e3

SHA512
e62b2324bd165658224242baa60be05be99cc66b38620840a502d48f625ac4621dad379f8b8e66bd90239184a994f860b732ce3a78ac6a6e7dc62086d31bf680

Download Submit
C:\Users\Admin\AppData\Local\Temp\vendor00000.xml

Filesize
597B

MD5
0d7cedf37142a56b7fec17dcda63d7f2

SHA1
add7ec6987fa88b96ff3aa10f8d128acb0e3a20e

SHA256
acd9c8dced92bb2c52e3af0793c11ad0822f87a33329b2a290bcb482ff77237d

SHA512
5537a035cec27f3a0499f92e9dd03ae2a5e8f53ada411ec44898da6d58b3bd80dbd720d22a6b0e70540c52cfbce7ce3401e8e16c3f780d28a2d9de1815b7c54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi

Filesize
8.3MB

MD5
0b72767d0f9dfe83cdfba359c7a4262a

SHA1
7cb0d55062aeaee327790d26509b2ed39c9c8141

SHA256
ffacf3711dfa7ac36fd4f8e7cb0110b741b378e62c47ac6fe2f0cca30ab615b1

SHA512
12305fc77c03260592ad37e8a6b57a63d8f01fd617f4883543a286ca88e02c060c17040a762a5213cd2a0a1bf7697272d1da426a6aeecd7cd53ac60307cd4733

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nahd6ha2.default\places.sqlite

Filesize
68KB

MD5
d57cd95de07d3b15eb5cf8baa80471af

SHA1
322c0e13f2022ab255a8d2a50c5835779b6ccc3e

SHA256
651efdc8961efbf6476e4cc4b3965a4da72690ebedda009fd800c6d936a67696

SHA512
2e98256a9e76ae384f88b83075a321f60cb13ee6f7e8cb93f1919103b82ba79a67b5eec8a7d3043fe26b377fae58545e82323813897c0e67adfacaa885d6f68e

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks-2024500535.452555452.backup

Filesize
1KB

MD5
3adec702d4472e3252ca8b58af62247c

SHA1
35d1d2f90b80dca80ad398f411c93fe8aef07435

SHA256
2b167248e8136c4d45c2c46e2bff6fb5e5137dd4dfdccde998599be2df2e9335

SHA512
7562e093d16ee6305c1bb143a3f5d60dafe8b5de74952709abc68a0c353b65416bf78b1fa1a6720331615898848c1464a7758c5dfe78f8098f77fbfa924784c0

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Preferences-2024500535.452555452.backup

Filesize
313B

MD5
af006f1bcc57b11c3478be8babc036a8

SHA1
c3bb4fa8c905565ca6a1f218e39fe7494910891e

SHA256
ed6a32e11cc99728771989b01f5ae813de80c46a59d3dc68c23a4671a343cb8c

SHA512
3d20689b0f39b414349c505be607e6bfc1f33ac401cf62a32f36f7114e4a486552f3e74661e90db29402bb85866944e9f8f31baba9605aa0c6def621511a26af

Download Submit
C:\Users\Admin\AppData\Roaming\Yandex\ui

Filesize
38B

MD5
4db5809f39d62df00c32abaf0490ff08

SHA1
b277601f48715587ef1fa4dc3e82eeeb19fb938b

SHA256
f15a854923cd13a5d733b1c1bc08e09b056ab7165aeda1fb1d8edb840475a76c

SHA512
52ccdea45dba2b773f6d0fbe66a204a473d237e11dc9022837172ea3e8fe6b4c9576c90c589b61344c2ee704b6889ad52fde21a803a4682a6b5f753d293b764b

Download Submit
C:\Windows\Installer\MSI50CF.tmp

Filesize
172KB

MD5
743d6e05d8798ffd9c8387a212dfb484

SHA1
39b144771095ba33e674421fe5b31bf742beb0ef

SHA256
e9fa16a42930f6f50bfcdc5c284e53bf2ab08dbdb1dfeaa5131c6f7d60a14415

SHA512
538f92d237326fe2d2d07cb98141f5e565beb9640398f5bb41e7b8531d1a19f6f065761e55819a7a8d2be773533e960d53d854cb8b46efd04be88748df33915f

Download Submit
C:\Windows\Installer\MSI513E.tmp

Filesize
189KB

MD5
e8a6a0d0f1ab61db4d24d9ba6a25d753

SHA1
131a3b9c11f2dc99c19f186eb921ef5d16a23cac

SHA256
c74a882c071bd9bd710be812ffd6e6b140b59fa714021159e91e7f6bb0e73e08

SHA512
33a2fdc6da1ce0117d2638f590cecb62477fa789dddbaf9cd2af17dd227687e3a172dab4c207a0154179e0ae62a64b2e8e6398d417369ef2b43db4e5f8966fd4

Download Submit
C:\Windows\Installer\MSI52EC.tmp

Filesize
202KB

MD5
ba84dd4e0c1408828ccc1de09f585eda

SHA1
e8e10065d479f8f591b9885ea8487bc673301298

SHA256
3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

SHA512
7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

Download Submit