Malware Analysis Report

2024-11-30 06:12

Sample ID 240612-qaccmswbka
Target 2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber
SHA256 05e7c78141093b0ca5a02cfec727a5ba40002cc731a589a098f46b221c3240d4
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

05e7c78141093b0ca5a02cfec727a5ba40002cc731a589a098f46b221c3240d4

Threat Level: Shows suspicious behavior

The file 2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Blocklisted process makes network request

Checks installed software on the system

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Modifies system certificate store

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 13:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 13:03

Reported

2024-06-12 13:05

Platform

win7-20231129-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1BFD.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1C3C.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f7615c2.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1A83.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1BDD.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI19D6.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1AA3.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1C5D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f7615c3.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1BCC.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1CBB.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1E52.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1E72.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f7615c2.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f7615c3.ipi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Users\Admin\AppData\Local\Temp\EADA3D52-9143-4744-95A6-E56D9BD1D276\seederexe.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\EADA3D52-9143-4744-95A6-E56D9BD1D276\seederexe.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 1960 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2408 wrote to memory of 1960 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2408 wrote to memory of 1960 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2408 wrote to memory of 1960 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2408 wrote to memory of 1960 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2408 wrote to memory of 1960 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2408 wrote to memory of 1960 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1960 wrote to memory of 1528 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\CDF622A1-7533-4511-B090-618B772D8286\lite_installer.exe
PID 1960 wrote to memory of 1528 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\CDF622A1-7533-4511-B090-618B772D8286\lite_installer.exe
PID 1960 wrote to memory of 1528 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\CDF622A1-7533-4511-B090-618B772D8286\lite_installer.exe
PID 1960 wrote to memory of 1528 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\CDF622A1-7533-4511-B090-618B772D8286\lite_installer.exe
PID 1960 wrote to memory of 1528 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\CDF622A1-7533-4511-B090-618B772D8286\lite_installer.exe
PID 1960 wrote to memory of 1528 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\CDF622A1-7533-4511-B090-618B772D8286\lite_installer.exe
PID 1960 wrote to memory of 1528 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\CDF622A1-7533-4511-B090-618B772D8286\lite_installer.exe
PID 1960 wrote to memory of 2176 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\EADA3D52-9143-4744-95A6-E56D9BD1D276\seederexe.exe
PID 1960 wrote to memory of 2176 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\EADA3D52-9143-4744-95A6-E56D9BD1D276\seederexe.exe
PID 1960 wrote to memory of 2176 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\EADA3D52-9143-4744-95A6-E56D9BD1D276\seederexe.exe
PID 1960 wrote to memory of 2176 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\EADA3D52-9143-4744-95A6-E56D9BD1D276\seederexe.exe
PID 2176 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\EADA3D52-9143-4744-95A6-E56D9BD1D276\seederexe.exe C:\Users\Admin\AppData\Local\Temp\87FFB23F-AEA1-4335-BDC8-4BB1A0077015\sender.exe
PID 2176 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\EADA3D52-9143-4744-95A6-E56D9BD1D276\seederexe.exe C:\Users\Admin\AppData\Local\Temp\87FFB23F-AEA1-4335-BDC8-4BB1A0077015\sender.exe
PID 2176 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\EADA3D52-9143-4744-95A6-E56D9BD1D276\seederexe.exe C:\Users\Admin\AppData\Local\Temp\87FFB23F-AEA1-4335-BDC8-4BB1A0077015\sender.exe
PID 2176 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\EADA3D52-9143-4744-95A6-E56D9BD1D276\seederexe.exe C:\Users\Admin\AppData\Local\Temp\87FFB23F-AEA1-4335-BDC8-4BB1A0077015\sender.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding E99F52C97D5EDC0E50208105D7A5D5F5

C:\Users\Admin\AppData\Local\Temp\CDF622A1-7533-4511-B090-618B772D8286\lite_installer.exe

"C:\Users\Admin\AppData\Local\Temp\CDF622A1-7533-4511-B090-618B772D8286\lite_installer.exe" --use-user-default-locale --silent --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/

C:\Users\Admin\AppData\Local\Temp\EADA3D52-9143-4744-95A6-E56D9BD1D276\seederexe.exe

"C:\Users\Admin\AppData\Local\Temp\EADA3D52-9143-4744-95A6-E56D9BD1D276\seederexe.exe" "--yqs=" "--yhp=" "--ilight=" "--oem=" "--nopin=n" "--pin_custom=n" "--pin_desktop=n" "--pin_taskbar=y" "--locale=us" "--browser=" "--browser_default=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\87FFB23F-AEA1-4335-BDC8-4BB1A0077015\sender.exe" "--is_elevated=yes" "--ui_level=5" "--good_token=x" "--no_opera=n"

C:\Users\Admin\AppData\Local\Temp\87FFB23F-AEA1-4335-BDC8-4BB1A0077015\sender.exe

C:\Users\Admin\AppData\Local\Temp\87FFB23F-AEA1-4335-BDC8-4BB1A0077015\sender.exe --send "/status.xml?clid=2765538&uuid=8f5ed4dd-E937-484D-AD3F-B2743C33ce78&vnt=Windows 7x64&file-no=6%0A15%0A25%0A45%0A57%0A59%0A111%0A125%0A129%0A"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 clck.yandex.ru udp
RU 77.88.21.14:80 clck.yandex.ru tcp
RU 77.88.21.14:80 clck.yandex.ru tcp
US 8.8.8.8:53 soft.export.yandex.ru udp
RU 87.250.254.20:80 soft.export.yandex.ru tcp

Files

C:\Users\Admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi

MD5 a685e7710dfd278be21aad1d88f6037f
SHA1 c40bdb55e24180aeb3f94927f4ab857a10bae870
SHA256 3274d31cd9e5ee72687e8fc0bd2d53e47cd61301a0a715a572b4c29fcb808ed4
SHA512 fd77dc748bfbe53f871f18c3449a7ccc3c9b44a41aff4f2475f5c5a667cdfefd7231a23a723bb9599cdf884473abce42752067201d4aaf6245f65ffd4ebf3375

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar12BB.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 b1c55240454d0b8dfcdc28d36b556e0b
SHA1 4520d7b32cd32e130079833e974188fceedddbdc
SHA256 11f9c8a690a18881d177dfaa8be3ffb8c006f3f175192b126ffb564eb2bf24d8
SHA512 1b6eb98d4728eac2975bafb148e216b886500304e89d005a0148ce00c2a425ae48107c237a8654d06bb59e764b2ca6d83b95863b26e2d3fa454446998194c828

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\Local\Temp\YandexSearch00000.log

MD5 14cb1e10be90546068f7a62d7c545e1d
SHA1 b9e4ea6ae4e0e5b5a21f7125a9e1867b53120198
SHA256 2c4d92013eaf414578ff93df266bda144dd76f2c26696ec958033a5f36330573
SHA512 d32500f68653f65b226437d215ab88510733edee371b524288df3d45a77b0d8b5fcfc1fd10dc27cc4c116481928b8a1f5992085333cc22309796f49d5ebe921c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 41fa317293b7999cbe9cb36d722b190a
SHA1 40a059e7a83ca2a500084e1e18b66ea7e71c9866
SHA256 12451afeac9881719ce5e2b1b0f5787648919d989053eed42774b8cfaab1b6bc
SHA512 ddd3bdd73fb0b1722f68835d03068cf2e9976d7a73b834af6dc24b7b030c67070699520c500d36e1c82e3621c40609db5b4f20bbc183277a1700130423fecd99

C:\Windows\Installer\MSI19D6.tmp

MD5 0c80a997d37d930e7317d6dac8bb7ae1
SHA1 018f13dfa43e103801a69a20b1fab0d609ace8a5
SHA256 a5dd2f97c6787c335b7807ff9b6966877e9dd811f9e26326837a7d2bd224de86
SHA512 fe1caef6d727344c60df52380a6e4ab90ae1a8eb5f96d6054eced1b7734357ce080d944fa518cf1366e14c4c0bd9a41db679738a860800430034a75bb90e51a5

C:\Windows\Installer\MSI1A83.tmp

MD5 e6fd0e66cf3bfd3cc04a05647c3c7c54
SHA1 6a1b7f1a45fb578de6492af7e2fede15c866739f
SHA256 669cc0aae068ced3154acaecb0c692c4c5e61bc2ca95b40395a3399e75fcb9b2
SHA512 fc8613f31acaf6155852d3ad6130fc3b76674b463dcdcfcd08a3b367dfd9e5b991e3f0a26994bcaf42f9e863a46a81e2520e77b1d99f703bcb08800bdca4efcb

C:\Users\Admin\AppData\Local\Temp\vendor00000.xml

MD5 10cdb2ce3fe53937c8a0879033424135
SHA1 061e1fc38f7075d0e6b40b00004225f64f046cbd
SHA256 1bd0f826e60de8c54b4becd496b5f7b642ec10a3a0c4b827479c7c6e0d50ae00
SHA512 4539da3e183e4856614b5baa50f54a384edf3bea4bfebade45c019a046fc2bac94734e019ac3420905707e19907241452f6b72214a373ddfd6a684dd04f67ed7

\Users\Admin\AppData\Local\Temp\CDF622A1-7533-4511-B090-618B772D8286\lite_installer.exe

MD5 aafdfaa7a989ddb216510fc9ae5b877f
SHA1 41cf94692968a7d511b6051b7fe2b15c784770cb
SHA256 688d0b782437ccfae2944281ade651a2da063f222e80b3510789dbdce8b00fdc
SHA512 6e2b76ff6df79c6de6887cf739848d05c894fbd70dc9371fff95e6ccd9938d695c46516cb18ec8edd01e78cad1a6029a3d633895f7ddba4db4bf9cd39271bd44

\Users\Admin\AppData\Local\Temp\EADA3D52-9143-4744-95A6-E56D9BD1D276\seederexe.exe

MD5 225ba20fa3edd13c9c72f600ff90e6cb
SHA1 5f1a9baa85c2afe29619e7cc848036d9174701e4
SHA256 35585d12899435e13e186490fcf1d270adbe3c74a1e0578b3d9314858bf2d797
SHA512 97e699cffe28d3c3611570d341ccbc1a0f0eec233c377c70e0e20d4ed3b956b6fe200a007f7e601a5724e733c97eaddc39d308b9af58d45f7598f10038d94ab3

C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml

MD5 c569a73140c7682adb47b64117c4144f
SHA1 d894792b4dfa7c5f6e696f05fd7dfd9c3f9a2ebd
SHA256 761715b9e682b75c6c41c9664263c0cddac295d4725ddf92fe267aac2fc1e54b
SHA512 b30001a70cd1265f206bf0c7458791e37d7890d5777fe43ec6c901368b3788efba849ce91c364da47c9084b73382b1eccc8c3614fe7fc9d1b8155021014e46e0

C:\Users\Admin\AppData\Roaming\Yandex\ui

MD5 fcd2b22794b824ecc92a3823d9a566ce
SHA1 174b1519bcf86a7933f0adc7bb0f879a20df4c6d
SHA256 693b33530dae478937d2ef2168398c3091ea631fb989f7eeefd8e5f11568342a
SHA512 ff2ff171896e1b7ddff526a5f979203583d512b72c0f9cafcd07c20f9ca4cc64704552b01b1689bcfda4c0119ff1e18391b75af459abaf23d7fc03f41beb3730

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 86ccb9bf54927a2abd93cd38e51593b4
SHA1 4bff9876cc7a5233f432bc741d7c6e7d3d715e4d
SHA256 03b8edf36c1c48cf1cf29676918cbaab91e015610ae59617a3202e043c1c5c41
SHA512 4db33cd3c132e05fabbdc8cf90d500bcdedd37722f6f1a090d4d70621ef57bfe15360f2276fe2bedc64eff4238bb7c5734b3897345f85ebcc8bf963927a96c39

C:\Config.Msi\f7615c4.rbs

MD5 eefcfd87c1fe2d765acf67403e2e3be6
SHA1 2f1fa9ca39d61e2edaa4ab93d413306dab00fe62
SHA256 e5519f7ee24e88180a8ddfc6958a7bb7298e4413c8bf2151ad200982d142f278
SHA512 75bf202c44027e142d5cd00e7f2720d145843f315f7571b090891a3ccc7e0710457eab6ccb218b3f9e16abd538e343ee2429440ace6b6151594f27c423ea2a02

C:\Users\Admin\AppData\Local\Temp\OMNIJA~1.ZIP

MD5 1d6cfd7db58008d1b44328c5a3a4220c
SHA1 8e8304bfd7a73b9ae8415b6cbd273e612868a2b2
SHA256 915e46dcc29d6fee123c4b8e88d846ac95ffd4a6f4eb956dc882d305ee1b8256
SHA512 4c17160aa83abeff897462f981226902dd6694817ad95f246511fc63c637bdffa0989a3db00c4309fa673a13b4993c509df538ddad482d1be8b4058749ee93f2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.Admin\places.sqlite-20240612130316.477600.backup

MD5 314cb7ffb31e3cc676847e03108378ba
SHA1 3667d2ade77624e79d9efa08a2f1d33104ac6343
SHA256 b6d278384a3684409a2a86f03e4f52869818ce7dd8b5779876960353f7d35dc1
SHA512 dc795fa35ea214843a781ee2b2ef551b91b6841a799bef2c6fb1907d90f6c114071a951ebb7b2b30e81d52b594d447a26ab12ddb57c331e854577d11e5febef5

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks-20240612130316.540000.backup

MD5 3adec702d4472e3252ca8b58af62247c
SHA1 35d1d2f90b80dca80ad398f411c93fe8aef07435
SHA256 2b167248e8136c4d45c2c46e2bff6fb5e5137dd4dfdccde998599be2df2e9335
SHA512 7562e093d16ee6305c1bb143a3f5d60dafe8b5de74952709abc68a0c353b65416bf78b1fa1a6720331615898848c1464a7758c5dfe78f8098f77fbfa924784c0

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Preferences-20240612130316.540000.backup

MD5 af006f1bcc57b11c3478be8babc036a8
SHA1 c3bb4fa8c905565ca6a1f218e39fe7494910891e
SHA256 ed6a32e11cc99728771989b01f5ae813de80c46a59d3dc68c23a4671a343cb8c
SHA512 3d20689b0f39b414349c505be607e6bfc1f33ac401cf62a32f36f7114e4a486552f3e74661e90db29402bb85866944e9f8f31baba9605aa0c6def621511a26af

\Users\Admin\AppData\Local\Temp\87FFB23F-AEA1-4335-BDC8-4BB1A0077015\sender.exe

MD5 f1a8f60c018647902e70cf3869e1563f
SHA1 3caf9c51dfd75206d944d4c536f5f5ff8e225ae9
SHA256 36022c6ecb3426791e6edee9074a3861fe5b660d98f2b2b7c13b80fe11a75577
SHA512 c02dfd6276ad136283230cdf07d30ec2090562e6c60d6c0d4ac3110013780fcafd76e13931be53b924a35cf473d0f5ace2f6b5c3f1f70ce66b40338e53d38d1e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 13:03

Reported

2024-06-12 13:05

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\symbols\dll\wUxTheme.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\apphelp.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\wgdi32full.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\shlwapi.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\shcore.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\WLDP.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\DLL\iphlpapi.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\rasadhlp.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\DLL\wkernel32.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\combase.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\shlwapi.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\wimm32.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\bcryptprimitives.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\msvcp_win.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\winhttp.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\DLL\wsspicli.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\WLDP.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\msvcrt.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\wgdi32full.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\version.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\dbghelp.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\apphelp.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\secur32.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\DLL\winnsi.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\dnsapi.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\shcore.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\nsi.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\wsspicli.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows.Storage.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\ws2_32.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\winsta.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\Windows.Storage.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\Kernel.Appcore.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\shell32.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\ucrtbase.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\ucrtbase.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\version.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\combase.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\DLL\wimm32.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\wkernel32.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\advapi32.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\msvcrt.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\wrpcrt4.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\advapi32.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\wtsapi32.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\dbghelp.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\wgdi32full.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\shcore.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\dnsapi.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\bcryptprimitives.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\webio.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\stat_sender.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\wntdll.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp_win.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\wuser32.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\CLBCatQ.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\wmswsock.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\rasadhlp.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\wntdll.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\ole32.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\version.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\Windows.Storage.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\iphlpapi.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A
File opened for modification C:\Windows\SysWOW64\wntdll.pdb C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e58438c.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e58438c.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI46D9.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4796.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI47D7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI48B4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI47A7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI47F7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4B08.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI467A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4718.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4865.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4A4C.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{5B964E0E-B9A3-4276-9ED9-4D5A5720747A} C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Users\Admin\AppData\Local\Temp\073E2BE6-D6A3-4719-8614-F9AC146CD624\seederexe.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\073E2BE6-D6A3-4719-8614-F9AC146CD624\seederexe.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae0300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd17e00000001000000080000000080c82b6886d7017a000000010000000c000000300a06082b060105050703091d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a07f0000000100000016000000301406082b0601050507030306082b060105050703096200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf690b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520036000000090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff1190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410 C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 5c000000010000000400000000100000190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd10400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410 C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1 C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410 C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410 C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2036 wrote to memory of 1940 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2036 wrote to memory of 1940 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2036 wrote to memory of 1940 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1940 wrote to memory of 4556 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\4D6BDF39-A8AF-47BE-BABD-82BE444AB126\lite_installer.exe
PID 1940 wrote to memory of 4556 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\4D6BDF39-A8AF-47BE-BABD-82BE444AB126\lite_installer.exe
PID 1940 wrote to memory of 4556 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\4D6BDF39-A8AF-47BE-BABD-82BE444AB126\lite_installer.exe
PID 1940 wrote to memory of 4316 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\073E2BE6-D6A3-4719-8614-F9AC146CD624\seederexe.exe
PID 1940 wrote to memory of 4316 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\073E2BE6-D6A3-4719-8614-F9AC146CD624\seederexe.exe
PID 1940 wrote to memory of 4316 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\073E2BE6-D6A3-4719-8614-F9AC146CD624\seederexe.exe
PID 4316 wrote to memory of 13040 N/A C:\Users\Admin\AppData\Local\Temp\073E2BE6-D6A3-4719-8614-F9AC146CD624\seederexe.exe C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe
PID 4316 wrote to memory of 13040 N/A C:\Users\Admin\AppData\Local\Temp\073E2BE6-D6A3-4719-8614-F9AC146CD624\seederexe.exe C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe
PID 4316 wrote to memory of 13040 N/A C:\Users\Admin\AppData\Local\Temp\073E2BE6-D6A3-4719-8614-F9AC146CD624\seederexe.exe C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3452,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4604 /prefetch:8

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 4C6EA568D1A62173C21F69B7299F4D2A

C:\Users\Admin\AppData\Local\Temp\4D6BDF39-A8AF-47BE-BABD-82BE444AB126\lite_installer.exe

"C:\Users\Admin\AppData\Local\Temp\4D6BDF39-A8AF-47BE-BABD-82BE444AB126\lite_installer.exe" --use-user-default-locale --silent --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/

C:\Users\Admin\AppData\Local\Temp\073E2BE6-D6A3-4719-8614-F9AC146CD624\seederexe.exe

"C:\Users\Admin\AppData\Local\Temp\073E2BE6-D6A3-4719-8614-F9AC146CD624\seederexe.exe" "--yqs=" "--yhp=" "--ilight=" "--oem=" "--nopin=n" "--pin_custom=n" "--pin_desktop=n" "--pin_taskbar=y" "--locale=us" "--browser=" "--browser_default=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe" "--is_elevated=yes" "--ui_level=5" "--good_token=x" "--no_opera=n"

C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe

C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe --send "/status.xml?clid=2765538&uuid=5070d918-3619-45bf-b2e7-df73bc92486f&vnt=Windows 10x64&file-no=8%0A15%0A25%0A45%0A57%0A59%0A102%0A111%0A125%0A129%0A"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 clck.yandex.ru udp
US 8.8.8.8:53 soft.export.yandex.ru udp

Files

C:\Users\Admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi

MD5 a685e7710dfd278be21aad1d88f6037f
SHA1 c40bdb55e24180aeb3f94927f4ab857a10bae870
SHA256 3274d31cd9e5ee72687e8fc0bd2d53e47cd61301a0a715a572b4c29fcb808ed4
SHA512 fd77dc748bfbe53f871f18c3449a7ccc3c9b44a41aff4f2475f5c5a667cdfefd7231a23a723bb9599cdf884473abce42752067201d4aaf6245f65ffd4ebf3375

C:\Users\Admin\AppData\Local\Temp\YandexSearch00000.log

MD5 e1cb51bc98b3c4562d37252df45e7444
SHA1 6fbfd14b4767c83148f6415e9bae094bca485eed
SHA256 16ee84230bbf672e20c36170e8f5e34c351ed0aa1e9423533ea1d2f19e7bf47b
SHA512 e5a13d7217f0538ec32b33719219f91465878fa36c34e537806fb7d35e1b9d009051268928210490e29ea8d0c81e604e6c54f30965e78ec353a56c58a1006293

C:\Windows\Installer\MSI467A.tmp

MD5 0c80a997d37d930e7317d6dac8bb7ae1
SHA1 018f13dfa43e103801a69a20b1fab0d609ace8a5
SHA256 a5dd2f97c6787c335b7807ff9b6966877e9dd811f9e26326837a7d2bd224de86
SHA512 fe1caef6d727344c60df52380a6e4ab90ae1a8eb5f96d6054eced1b7734357ce080d944fa518cf1366e14c4c0bd9a41db679738a860800430034a75bb90e51a5

C:\Windows\Installer\MSI46D9.tmp

MD5 e6fd0e66cf3bfd3cc04a05647c3c7c54
SHA1 6a1b7f1a45fb578de6492af7e2fede15c866739f
SHA256 669cc0aae068ced3154acaecb0c692c4c5e61bc2ca95b40395a3399e75fcb9b2
SHA512 fc8613f31acaf6155852d3ad6130fc3b76674b463dcdcfcd08a3b367dfd9e5b991e3f0a26994bcaf42f9e863a46a81e2520e77b1d99f703bcb08800bdca4efcb

C:\Users\Admin\AppData\Local\Temp\vendor00000.xml

MD5 10cdb2ce3fe53937c8a0879033424135
SHA1 061e1fc38f7075d0e6b40b00004225f64f046cbd
SHA256 1bd0f826e60de8c54b4becd496b5f7b642ec10a3a0c4b827479c7c6e0d50ae00
SHA512 4539da3e183e4856614b5baa50f54a384edf3bea4bfebade45c019a046fc2bac94734e019ac3420905707e19907241452f6b72214a373ddfd6a684dd04f67ed7

C:\Users\Admin\AppData\Local\Temp\4D6BDF39-A8AF-47BE-BABD-82BE444AB126\lite_installer.exe

MD5 aafdfaa7a989ddb216510fc9ae5b877f
SHA1 41cf94692968a7d511b6051b7fe2b15c784770cb
SHA256 688d0b782437ccfae2944281ade651a2da063f222e80b3510789dbdce8b00fdc
SHA512 6e2b76ff6df79c6de6887cf739848d05c894fbd70dc9371fff95e6ccd9938d695c46516cb18ec8edd01e78cad1a6029a3d633895f7ddba4db4bf9cd39271bd44

C:\Users\Admin\AppData\Local\Temp\073E2BE6-D6A3-4719-8614-F9AC146CD624\seederexe.exe

MD5 225ba20fa3edd13c9c72f600ff90e6cb
SHA1 5f1a9baa85c2afe29619e7cc848036d9174701e4
SHA256 35585d12899435e13e186490fcf1d270adbe3c74a1e0578b3d9314858bf2d797
SHA512 97e699cffe28d3c3611570d341ccbc1a0f0eec233c377c70e0e20d4ed3b956b6fe200a007f7e601a5724e733c97eaddc39d308b9af58d45f7598f10038d94ab3

C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml

MD5 c569a73140c7682adb47b64117c4144f
SHA1 d894792b4dfa7c5f6e696f05fd7dfd9c3f9a2ebd
SHA256 761715b9e682b75c6c41c9664263c0cddac295d4725ddf92fe267aac2fc1e54b
SHA512 b30001a70cd1265f206bf0c7458791e37d7890d5777fe43ec6c901368b3788efba849ce91c364da47c9084b73382b1eccc8c3614fe7fc9d1b8155021014e46e0

C:\Users\Admin\AppData\Local\Temp\tmp4316aaaaaa

MD5 fefc3d677388386c29d8720c15b9db3f
SHA1 370f1f40ae5c652d87b3b8f42e67d827af2b1754
SHA256 74d5e8d3cd8d659d8df8e6f306832dfc252e1a6e676bb60334e31b5943deb4fb
SHA512 b462ca1ffb0798bedc39c945daa75ff73e0efbb1c6dfdb262e6b2936158933f514f0b4169e811069df11aaeaebd39c826ce0caf9f6eb6d77de249fca6abe39fe

C:\Config.Msi\e58438d.rbs

MD5 31d2753e55767ab2597bf531661d2151
SHA1 b1f4742930cb928fc570ff273a161c844fc28d64
SHA256 986593c10baf38f0aeb9a890986ac603f9c2327034d69f4292bef55b40e48f03
SHA512 930fbc4aa5107a6d7a7dee82a0086f41980f7aaa82d562042884c77329c9675fdb7702b742156d26f15a6576e366ea6c434e4c105044ebf321ba4db76fdb610c

C:\Users\Admin\AppData\Local\Temp\omnija-20240312.zip

MD5 dc5128fcb8d7f6b849f1166532db2dc8
SHA1 8427501d440d5edbbb2662294bc5650d2bc8aab5
SHA256 36e682f419c2b5d8e7c285d36088b56d59df3869dbd181943280696d4ca391ca
SHA512 bcf0d463ed4f01a313b8e6be745ad55b42108be84cc5850c411dec19aa7c6d996782da49fc208559f1188941bdd1082d954cfa316f08c0ad2efcf0662952e524

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kwvh0l1k.Admin\places.sqlite-20240612130339.630260.backup

MD5 314cb7ffb31e3cc676847e03108378ba
SHA1 3667d2ade77624e79d9efa08a2f1d33104ac6343
SHA256 b6d278384a3684409a2a86f03e4f52869818ce7dd8b5779876960353f7d35dc1
SHA512 dc795fa35ea214843a781ee2b2ef551b91b6841a799bef2c6fb1907d90f6c114071a951ebb7b2b30e81d52b594d447a26ab12ddb57c331e854577d11e5febef5

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks-20240612130339.958373.backup

MD5 3adec702d4472e3252ca8b58af62247c
SHA1 35d1d2f90b80dca80ad398f411c93fe8aef07435
SHA256 2b167248e8136c4d45c2c46e2bff6fb5e5137dd4dfdccde998599be2df2e9335
SHA512 7562e093d16ee6305c1bb143a3f5d60dafe8b5de74952709abc68a0c353b65416bf78b1fa1a6720331615898848c1464a7758c5dfe78f8098f77fbfa924784c0

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Preferences-20240612130339.958373.backup

MD5 af006f1bcc57b11c3478be8babc036a8
SHA1 c3bb4fa8c905565ca6a1f218e39fe7494910891e
SHA256 ed6a32e11cc99728771989b01f5ae813de80c46a59d3dc68c23a4671a343cb8c
SHA512 3d20689b0f39b414349c505be607e6bfc1f33ac401cf62a32f36f7114e4a486552f3e74661e90db29402bb85866944e9f8f31baba9605aa0c6def621511a26af

C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe

MD5 f1a8f60c018647902e70cf3869e1563f
SHA1 3caf9c51dfd75206d944d4c536f5f5ff8e225ae9
SHA256 36022c6ecb3426791e6edee9074a3861fe5b660d98f2b2b7c13b80fe11a75577
SHA512 c02dfd6276ad136283230cdf07d30ec2090562e6c60d6c0d4ac3110013780fcafd76e13931be53b924a35cf473d0f5ace2f6b5c3f1f70ce66b40338e53d38d1e

C:\Users\Admin\AppData\Roaming\Yandex\ui

MD5 a1b396bc3f125a7a0b1e33e8557f21aa
SHA1 1a116b9ad05547e217c52f37df7f8fcf387d2128
SHA256 02ba4a6e2d8037e2fed43d76d15909f8bac5fb3e15491aedc2eb6b37d15d1a45
SHA512 85160da65d11c7f175ed8b2757d89d2626e0586509ca1fd0f38e25ba5e03dbc5f3bb7db78d91b9cb830fb1d2048ebd377a8b99fde7e075d9c71616d638f429f8