Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
31s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
10/08/2024, 05:23 UTC
Static task
static1
Behavioral task
behavioral1
Sample
2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe
-
Size
12.2MB
-
MD5
24aaef994cfd0a3fbc365113e77b3581
-
SHA1
77b2e31bcf0ad92a33a9646d5b77764ced1b0d24
-
SHA256
3447e7723ea026da14b1a2842d2ce6f1c6898c5fe255dd78d120a4d6b87f106a
-
SHA512
c0e4922e8aabc4c59047d72f135e52a81be3d66c435601bffc7e530e203d257f4a3d6f7d71c6c8b5c75f24c002b81ef1e7af1f544875a3eae2c49b50b30236c9
-
SSDEEP
196608:jPg2CWhGuZvjwQklner7/0S+6JfRbkebsN/cJ67DgKEl9sMvrrqNJ2R7v:jYgGG7wFln+3fRb0V7El9s+rqNcv
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe -
Modifies registry class 3 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{FF8EFF09-2CE0-443F-B774-755550B4AFB5}\LaunchPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000 2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{FF8EFF09-2CE0-443F-B774-755550B4AFB5}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000 2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{FF8EFF09-2CE0-443F-B774-755550B4AFB5} 2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1212 2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe 1212 2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1212 2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe 1212 2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1212
Network
-
Remote address:8.8.8.8:53Requestwsgeoip.pdf-suite.comIN AResponsewsgeoip.pdf-suite.comIN A104.21.57.28wsgeoip.pdf-suite.comIN A172.67.158.191
-
POSThttps://wsgeoip.pdf-suite.com/ipservice.asmx2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exeRemote address:104.21.57.28:443RequestPOST /ipservice.asmx HTTP/1.1
Accept: text/*
SOAPAction: "http://upclick.com/GetLocationInfo"
Content-Type: text/xml; charset=utf-8
User-Agent: VCSoapClient
Host: wsgeoip.pdf-suite.com
Content-Length: 346
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
strict-transport-security: max-age=31536000; includeSubDomains
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cBd12%2BHAyqT1clYgh26dSLdVvAvcFfQUPq5LmtQoTabO8HT0IsJapq%2FqyDc5oaQp4PHKaCeMks4w82gzK9PYRnuBjdbvasacHWZRUMVwRRPfdeAZRbPpjyqkClxMK3N0uegZdXXsarI%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8b0d8d64282260fd-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Requestc.pki.googIN AResponsec.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A142.250.179.131
-
GEThttp://c.pki.goog/r/gsr1.crl2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exeRemote address:142.250.179.131:80RequestGET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Sat, 10 Aug 2024 04:48:03 GMT
Expires: Sat, 10 Aug 2024 05:38:03 GMT
Cache-Control: public, max-age=3000
Age: 2106
Last-Modified: Mon, 08 Jul 2024 07:38:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
GEThttp://c.pki.goog/r/r4.crl2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exeRemote address:142.250.179.131:80RequestGET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Sat, 10 Aug 2024 04:48:03 GMT
Expires: Sat, 10 Aug 2024 05:38:03 GMT
Cache-Control: public, max-age=3000
Age: 2107
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
Remote address:8.8.8.8:53Requestavqservice.avanquest.comIN AResponseavqservice.avanquest.comIN A104.18.6.41avqservice.avanquest.comIN A104.18.7.41
-
POSThttps://avqservice.avanquest.com/api/v4/services/installers/socialidupdate/pdfsuite/2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exeRemote address:104.18.6.41:443RequestPOST /api/v4/services/installers/socialidupdate/pdfsuite/ HTTP/1.1
Host: avqservice.avanquest.com
User-Agent: PDF Suite 20 Installer 20.0.14.3253
Connection: TE
TE: gzip
Accept-Encoding: deflate, gzip
Accept: application/json
Content-Type: application/json
Content-Length: 90
Expect: 100-continue
ResponseHTTP/1.1 404 Not Found
Content-Type: application/json; charset=utf-8
Content-Length: 45
Connection: keep-alive
X-Powered-By: Express
ETag: W/"2d-fzSH650WcRVLKdcIgeRvTs/vlCU"
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 8b0d8d7808d3beab-LHR
-
DNSapi-updateservice.pdf-suite.com2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exeRemote address:8.8.8.8:53Requestapi-updateservice.pdf-suite.comIN AResponseapi-updateservice.pdf-suite.comIN A172.67.158.191api-updateservice.pdf-suite.comIN A104.21.57.28
-
POSThttps://api-updateservice.pdf-suite.com/api/v1/products/info2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exeRemote address:172.67.158.191:443RequestPOST /api/v1/products/info HTTP/1.1
Host: api-updateservice.pdf-suite.com
User-Agent: PDF Suite 20 Installer 20.0.14.3253
Connection: TE
TE: gzip
Accept-Encoding: deflate, gzip
Accept: application/json
Content-Type: application/json
Content-Length: 605
Expect: 100-continue
ResponseHTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
vary: Accept-Encoding
strict-transport-security: max-age=31536000; includeSubDomains
Content-Encoding: gzip
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eB%2FKETFUWlUXe2Bofg5gDwChUN0df1QPHI%2FdhxslbsoO0Bd0%2FueP3ZCX48BAhhLqjwhF4a3GWnqgCcfVejr95d23Iy5FSPVLDHCiqkqQyHxuwvYIi1DhjlfYZxNx%2FExwioc7KCaLDH2zns3ED3j2NrAE"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8b0d8d7c2bcc9460-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Requestcrl.microsoft.comIN AResponsecrl.microsoft.comIN CNAMEcrl.www.ms.akadns.netcrl.www.ms.akadns.netIN CNAMEa1363.dscg.akamai.neta1363.dscg.akamai.netIN A2.18.190.71a1363.dscg.akamai.netIN A2.18.190.80
-
Remote address:2.18.190.71:80RequestGET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 01 May 2024 09:28:59 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-MD5: 5xIscz+eN7ugykyYXOEdbQ==
Last-Modified: Thu, 11 Jul 2024 01:45:51 GMT
ETag: 0x8DCA14B323B2CC0
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: a4477661-c01e-0047-59b2-e33cb1000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Sat, 10 Aug 2024 05:23:40 GMT
Connection: keep-alive
-
104.21.57.28:443https://wsgeoip.pdf-suite.com/ipservice.asmxtls, http2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe1.4kB 5.0kB 11 11
HTTP Request
POST https://wsgeoip.pdf-suite.com/ipservice.asmxHTTP Response
200 -
142.250.179.131:80http://c.pki.goog/r/r4.crlhttp2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe606 B 5.0kB 8 6
HTTP Request
GET http://c.pki.goog/r/gsr1.crlHTTP Response
200HTTP Request
GET http://c.pki.goog/r/r4.crlHTTP Response
200 -
-
104.18.6.41:443https://avqservice.avanquest.com/api/v4/services/installers/socialidupdate/pdfsuite/tls, http2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe1.2kB 3.7kB 10 11
HTTP Request
POST https://avqservice.avanquest.com/api/v4/services/installers/socialidupdate/pdfsuite/HTTP Response
404 -
172.67.158.191:443https://api-updateservice.pdf-suite.com/api/v1/products/infotls, http2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe1.8kB 5.3kB 11 13
HTTP Request
POST https://api-updateservice.pdf-suite.com/api/v1/products/infoHTTP Response
200 -
-
399 B 1.7kB 4 4
HTTP Request
GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crlHTTP Response
200
-
8.8.8.8:53wsgeoip.pdf-suite.comdns2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe67 B 99 B 1 1
DNS Request
wsgeoip.pdf-suite.com
DNS Response
104.21.57.28172.67.158.191
-
56 B 107 B 1 1
DNS Request
c.pki.goog
DNS Response
142.250.179.131
-
8.8.8.8:53avqservice.avanquest.comdns2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe70 B 102 B 1 1
DNS Request
avqservice.avanquest.com
DNS Response
104.18.6.41104.18.7.41
-
8.8.8.8:53api-updateservice.pdf-suite.comdns2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe77 B 109 B 1 1
DNS Request
api-updateservice.pdf-suite.com
DNS Response
172.67.158.191104.21.57.28
-
63 B 162 B 1 1
DNS Request
crl.microsoft.com
DNS Response
2.18.190.712.18.190.80
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD516ade691900d191c5189320b8bcd16cc
SHA1fc504b6ce36390897852e17e98e13110caf5857f
SHA256eebc9c4ff1781f83e0aa5b2aa31ecdf40cb035fd4dd460ec67602e90bb165cb3
SHA512af68f697a7454c718ce96329c1b57f5ac1416473c3909cd7c8dea1bde2f586c5549bce9ff1505a8a7ff84bfa8994bb9cd0bb659848ad3c332e67e95a91d61206
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b