Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2024 17:46
Static task
static1
Behavioral task
behavioral1
Sample
2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe
Resource
win7-20240903-en
General
-
Target
2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe
-
Size
10.2MB
-
MD5
18b5196c49a9611141dd28e90986e4b5
-
SHA1
d0714355ee4eca860a45d08ac33ca1761df828dd
-
SHA256
4994d99b024a69536c6df49657916c91ff00d64d371a27c52be4bf85f45fb037
-
SHA512
b82c3f8c22652dbf2c96e2b8b2b5e4744626c7896918cb12f7b55fbac9d5b3b37af54b68ccad6ed00d6f4aa257e5fcde9fe178e09fbf13f796e86bfc4b5c5421
-
SSDEEP
196608:vdad4T0xcsSB5orrcbSsi0s/lmPJ7N3VvXWrqufezvqT:ladCoXrlAJ7N3pXW2uGzyT
Malware Config
Signatures
-
Detects Floxif payload 1 IoCs
resource yara_rule behavioral2/files/0x000a0000000233fa-1.dat floxif -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000a0000000233fa-1.dat acprotect -
Executes dropped EXE 3 IoCs
pid Process 5116 lite_installer.exe 1664 seederexe.exe 6692 sender.exe -
Loads dropped DLL 11 IoCs
pid Process 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe 3252 MsiExec.exe 3252 MsiExec.exe 3252 MsiExec.exe 3252 MsiExec.exe 3252 MsiExec.exe 3252 MsiExec.exe 3252 MsiExec.exe 3252 MsiExec.exe 3252 MsiExec.exe 3252 MsiExec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000a0000000233fa-1.dat upx behavioral2/memory/1980-3-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/1980-226-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 47 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe File opened (read-only) \??\N: 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe File opened (read-only) \??\O: 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe File opened (read-only) \??\T: 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe File opened (read-only) \??\V: 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe File opened (read-only) \??\G: 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe File opened (read-only) \??\Q: 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe File opened (read-only) \??\S: 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe File opened (read-only) \??\P: 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\U: 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe File opened (read-only) \??\Z: 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe File opened (read-only) \??\X: 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe File opened (read-only) \??\K: 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe File opened (read-only) \??\I: 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe File opened (read-only) \??\e: 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe File opened (read-only) \??\W: 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe File opened (read-only) \??\Y: 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe File opened (read-only) \??\R: 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Common Files\System\symsrv.dll 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe File created \??\c:\program files\common files\system\symsrv.dll.000 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe -
Drops file in Windows directory 17 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIA5BF.tmp msiexec.exe File opened for modification C:\Windows\Installer\e57a19f.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIA452.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA482.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA4A2.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\e57a19f.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIA2E7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA4E2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA550.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA346.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA3A4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA432.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{5B964E0E-B9A3-4276-9ED9-4D5A5720747A} msiexec.exe File opened for modification C:\Windows\Installer\MSIA66C.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sender.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lite_installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language seederexe.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\SearchScopes seederexe.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main seederexe.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae0300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd17e00000001000000080000000080c82b6886d7017a000000010000000c000000300a06082b060105050703091d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a07f0000000100000016000000301406082b0601050507030306082b060105050703096200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf690b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520036000000090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff1190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 5c000000010000000400000000100000190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd10400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe 2400 msiexec.exe 2400 msiexec.exe 5116 lite_installer.exe 5116 lite_installer.exe 1664 seederexe.exe 1664 seederexe.exe 6692 sender.exe 6692 sender.exe 5116 lite_installer.exe 5116 lite_installer.exe -
Suspicious use of AdjustPrivilegeToken 61 IoCs
description pid Process Token: SeDebugPrivilege 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Token: SeShutdownPrivilege 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Token: SeIncreaseQuotaPrivilege 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Token: SeSecurityPrivilege 2400 msiexec.exe Token: SeCreateTokenPrivilege 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Token: SeAssignPrimaryTokenPrivilege 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Token: SeLockMemoryPrivilege 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Token: SeIncreaseQuotaPrivilege 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Token: SeMachineAccountPrivilege 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Token: SeTcbPrivilege 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Token: SeSecurityPrivilege 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Token: SeTakeOwnershipPrivilege 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Token: SeLoadDriverPrivilege 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Token: SeSystemProfilePrivilege 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Token: SeSystemtimePrivilege 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Token: SeProfSingleProcessPrivilege 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Token: SeIncBasePriorityPrivilege 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Token: SeCreatePagefilePrivilege 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Token: SeCreatePermanentPrivilege 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Token: SeBackupPrivilege 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Token: SeRestorePrivilege 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Token: SeShutdownPrivilege 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Token: SeDebugPrivilege 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Token: SeAuditPrivilege 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Token: SeSystemEnvironmentPrivilege 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Token: SeChangeNotifyPrivilege 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Token: SeRemoteShutdownPrivilege 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Token: SeUndockPrivilege 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Token: SeSyncAgentPrivilege 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Token: SeEnableDelegationPrivilege 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Token: SeManageVolumePrivilege 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Token: SeImpersonatePrivilege 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Token: SeCreateGlobalPrivilege 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe Token: SeRestorePrivilege 2400 msiexec.exe Token: SeTakeOwnershipPrivilege 2400 msiexec.exe Token: SeRestorePrivilege 2400 msiexec.exe Token: SeTakeOwnershipPrivilege 2400 msiexec.exe Token: SeRestorePrivilege 2400 msiexec.exe Token: SeTakeOwnershipPrivilege 2400 msiexec.exe Token: SeRestorePrivilege 2400 msiexec.exe Token: SeTakeOwnershipPrivilege 2400 msiexec.exe Token: SeRestorePrivilege 2400 msiexec.exe Token: SeTakeOwnershipPrivilege 2400 msiexec.exe Token: SeRestorePrivilege 2400 msiexec.exe Token: SeTakeOwnershipPrivilege 2400 msiexec.exe Token: SeRestorePrivilege 2400 msiexec.exe Token: SeTakeOwnershipPrivilege 2400 msiexec.exe Token: SeRestorePrivilege 2400 msiexec.exe Token: SeTakeOwnershipPrivilege 2400 msiexec.exe Token: SeRestorePrivilege 2400 msiexec.exe Token: SeTakeOwnershipPrivilege 2400 msiexec.exe Token: SeRestorePrivilege 2400 msiexec.exe Token: SeTakeOwnershipPrivilege 2400 msiexec.exe Token: SeRestorePrivilege 2400 msiexec.exe Token: SeTakeOwnershipPrivilege 2400 msiexec.exe Token: SeRestorePrivilege 2400 msiexec.exe Token: SeTakeOwnershipPrivilege 2400 msiexec.exe Token: SeRestorePrivilege 2400 msiexec.exe Token: SeTakeOwnershipPrivilege 2400 msiexec.exe Token: SeRestorePrivilege 2400 msiexec.exe Token: SeTakeOwnershipPrivilege 2400 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe 1980 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2400 wrote to memory of 3252 2400 msiexec.exe 84 PID 2400 wrote to memory of 3252 2400 msiexec.exe 84 PID 2400 wrote to memory of 3252 2400 msiexec.exe 84 PID 3252 wrote to memory of 5116 3252 MsiExec.exe 85 PID 3252 wrote to memory of 5116 3252 MsiExec.exe 85 PID 3252 wrote to memory of 5116 3252 MsiExec.exe 85 PID 3252 wrote to memory of 1664 3252 MsiExec.exe 87 PID 3252 wrote to memory of 1664 3252 MsiExec.exe 87 PID 3252 wrote to memory of 1664 3252 MsiExec.exe 87 PID 1664 wrote to memory of 6692 1664 seederexe.exe 92 PID 1664 wrote to memory of 6692 1664 seederexe.exe 92 PID 1664 wrote to memory of 6692 1664 seederexe.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe"C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1980
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BE5FD16574D12B609296BB07739E492E2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Users\Admin\AppData\Local\Temp\5A8A29E9-78F4-4A1C-B7C2-6BC821FE2A40\lite_installer.exe"C:\Users\Admin\AppData\Local\Temp\5A8A29E9-78F4-4A1C-B7C2-6BC821FE2A40\lite_installer.exe" --use-user-default-locale --silent --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5116
-
-
C:\Users\Admin\AppData\Local\Temp\EDA6B66D-D266-4438-889A-EE6D9FA6BB53\seederexe.exe"C:\Users\Admin\AppData\Local\Temp\EDA6B66D-D266-4438-889A-EE6D9FA6BB53\seederexe.exe" "--yqs=" "--yhp=" "--ilight=" "--oem=" "--nopin=n" "--pin_custom=n" "--pin_desktop=n" "--pin_taskbar=y" "--locale=us" "--browser=" "--browser_default=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\A7A20E76-6C06-4ECA-A344-EAA148A7E26E\sender.exe" "--is_elevated=yes" "--ui_level=5" "--good_token=x" "--no_opera=n"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\A7A20E76-6C06-4ECA-A344-EAA148A7E26E\sender.exeC:\Users\Admin\AppData\Local\Temp\A7A20E76-6C06-4ECA-A344-EAA148A7E26E\sender.exe --send "/status.xml?clid=9183476&uuid=1bcb2a9f-7d23-4585-846d-ccf59f867551&vnt=Windows 10x64&file-no=8%0A15%0A25%0A45%0A57%0A59%0A102%0A111%0A125%0A129%0A"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6692
-
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
575B
MD5b9c0200932c380cc01db0dc8ab4a6252
SHA1bfa3841893eb761cdd15563b8bfb52a8cae72836
SHA2568be55f52c75145d77d7c75e8f007056cd4a5f831acfdb789493ce8fb86f20263
SHA512fc0e55ea57ea17284be54ee22f96e4014776174186bf72bc1a9abfb05514612a6b49cf6f9e8c4188382773adeb95220aaa0b7a72aa8eb3248072ab077d8653fe
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_394487CAFBCFB8C5917AD7A10924C8A7
Filesize1KB
MD541abbf43f4ffb8d6fd44c6cc1d0df535
SHA106ea5ccc2d8fdd9c3de05a127fa27a36eea5352d
SHA256baf69982271ba57e8b845dd473e465e0ce54836af8c46078c3cdba4c908066c7
SHA512ec6225202f9b3d30bc7a63edbbd6b02ded1d610de2293aabbb8a3a2930dad23c8f4795ba41dedd68fe0657f0fa7cfb55594665b9aad6d77a77e932453aea38b5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
Filesize1KB
MD59301f8b08f4a50edfdcb00222eff6d38
SHA13572b7930dc0d057b9ce3da8f2e3ae55c6e8d1d8
SHA256daf5a7b210974af392bc4b1f5b525f4780b1861dd80418a15743e09d1c1e4e9c
SHA512371aa39b2c49599fbb72ffd66abaeb612204e9c95054b0c236b925365a48480e35a93c097967ac5960aa97f881940fb262fdc51d5305eaa0aeeeaf33040b3cf6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_394487CAFBCFB8C5917AD7A10924C8A7
Filesize536B
MD5891b1beb45c53a0b6d367668cf940bda
SHA19fb59590131a924f28dbac1fc3fca2d6b149b716
SHA2569255a65b809b158171b6c4c0ae11e28220e84bc63e5982d06e12134e886177be
SHA5127ce8635c9fc8a3183e5493073b82777e984f291f566b4ae2822b8578045fc583de3b7b9d0c55f846897fd439174304911bc215a41c3943bd878f478ac9a23577
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
Filesize536B
MD5e1158894b18f52d33151e37e5f9648d6
SHA1f9d13b45ac50ac2811fca3f381f2ea4647d75c7a
SHA256233f2b250918c7d7015c373b5ca163c0efeb8bc46aa285742a5fe21a53e78bcd
SHA5125eb7f3547501363ebc53e36eca4f80abe72bf4c62451be6918f1f8270b43a10e8bcfef122ec1c04927c48971f5e49c811057a51c38eadcc617d1830e205c05cb
-
Filesize
419KB
MD5aafdfaa7a989ddb216510fc9ae5b877f
SHA141cf94692968a7d511b6051b7fe2b15c784770cb
SHA256688d0b782437ccfae2944281ade651a2da063f222e80b3510789dbdce8b00fdc
SHA5126e2b76ff6df79c6de6887cf739848d05c894fbd70dc9371fff95e6ccd9938d695c46516cb18ec8edd01e78cad1a6029a3d633895f7ddba4db4bf9cd39271bd44
-
Filesize
260KB
MD5f1a8f60c018647902e70cf3869e1563f
SHA13caf9c51dfd75206d944d4c536f5f5ff8e225ae9
SHA25636022c6ecb3426791e6edee9074a3861fe5b660d98f2b2b7c13b80fe11a75577
SHA512c02dfd6276ad136283230cdf07d30ec2090562e6c60d6c0d4ac3110013780fcafd76e13931be53b924a35cf473d0f5ace2f6b5c3f1f70ce66b40338e53d38d1e
-
Filesize
8.6MB
MD5225ba20fa3edd13c9c72f600ff90e6cb
SHA15f1a9baa85c2afe29619e7cc848036d9174701e4
SHA25635585d12899435e13e186490fcf1d270adbe3c74a1e0578b3d9314858bf2d797
SHA51297e699cffe28d3c3611570d341ccbc1a0f0eec233c377c70e0e20d4ed3b956b6fe200a007f7e601a5724e733c97eaddc39d308b9af58d45f7598f10038d94ab3
-
Filesize
34KB
MD5c914f5b83ed80cb8b93df05637dc6701
SHA12f5fcb2daf7bfbc2a8d4f313a95fd2300674547b
SHA256a732200faff9d4f3e1537d08aa1c5116abf88f540d3f612cc418c9c9beddc850
SHA5120c17156d9badd83da1ea05a12ce650ee11f2b9da225642ec7cdafca5cf0d9219384225470fb5c01ee4635f092c0a28292fe66e6bb416aef66b65cd344624d7ac
-
Filesize
531B
MD5f1083a9453af8796ae5b0df6d4e8ce57
SHA12567b4c551c179614d213514bed8ceb20e4f97e8
SHA256637a4d28261e4819483ca7296cf6b6eb5768e2e82b218a3edca4c007b9941788
SHA512fd5993494290326be52da2105ca176c588f490fd9c4a98514178a1459887064b6bd09f4e4168dd1a35a2e5e5b58b887cfc0e595e4b1a8e2a79bc93c2ea1cd880
-
Filesize
42.1MB
MD5c5750fc92569e781bd36bdcc8215aa4c
SHA14c9a2b4b4da46de31c27120c76a8f74d410cba17
SHA256eeb36cbca086fc67b9eb6946db764d8d2940a0dc22b2cea28c0d77e4d1e3ed78
SHA512602a26fce9bd2f6b724a7e741191c611cbcbff5fbde616123379cea6a4b8fd629cbdf6d2b2314324d38d8c96b7fe6a57416d93d46b29d35388d0dad9147946f7
-
Filesize
2.5MB
MD5fefc3d677388386c29d8720c15b9db3f
SHA1370f1f40ae5c652d87b3b8f42e67d827af2b1754
SHA25674d5e8d3cd8d659d8df8e6f306832dfc252e1a6e676bb60334e31b5943deb4fb
SHA512b462ca1ffb0798bedc39c945daa75ff73e0efbb1c6dfdb262e6b2936158933f514f0b4169e811069df11aaeaebd39c826ce0caf9f6eb6d77de249fca6abe39fe
-
Filesize
510B
MD5c528466ba6d4f66966aa31021aa339dc
SHA1ee953f22f33b25d80cbfe250d64fed4d2da80091
SHA256546e928b7127a4515b089f0b913078404b664a5df33c928a281888c25b03760f
SHA512ebd159dbc6f47b6f70e4f47d9de6bc540c86c915c44df7a4dd50c1c6a431303bb06e22382e8a76e9e2399d24263feca64305a74fa4b50314f8b429b141af601c
-
Filesize
9.8MB
MD5db69b41b1827ccc598a416e0d32e4a39
SHA1acc35592e318c32d0f4ac768f32f1f8243ba230c
SHA256b5a4c7a05785ac51553953bf951c284ff03a9ac7d1cba15fa391d0b6c7aed5cc
SHA512d40479e0dd384a99fefbc8a43381dde21b2633320393566ecdb2895fa88008794b996d7fac3ddae102c6dd516cdb3c14e3e52ff7371472cc0894c444a4b4d867
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ldjzjqt.Admin\places.sqlite-20240916174709.218969.backup
Filesize68KB
MD5314cb7ffb31e3cc676847e03108378ba
SHA13667d2ade77624e79d9efa08a2f1d33104ac6343
SHA256b6d278384a3684409a2a86f03e4f52869818ce7dd8b5779876960353f7d35dc1
SHA512dc795fa35ea214843a781ee2b2ef551b91b6841a799bef2c6fb1907d90f6c114071a951ebb7b2b30e81d52b594d447a26ab12ddb57c331e854577d11e5febef5
-
Filesize
1KB
MD53adec702d4472e3252ca8b58af62247c
SHA135d1d2f90b80dca80ad398f411c93fe8aef07435
SHA2562b167248e8136c4d45c2c46e2bff6fb5e5137dd4dfdccde998599be2df2e9335
SHA5127562e093d16ee6305c1bb143a3f5d60dafe8b5de74952709abc68a0c353b65416bf78b1fa1a6720331615898848c1464a7758c5dfe78f8098f77fbfa924784c0
-
Filesize
313B
MD5af006f1bcc57b11c3478be8babc036a8
SHA1c3bb4fa8c905565ca6a1f218e39fe7494910891e
SHA256ed6a32e11cc99728771989b01f5ae813de80c46a59d3dc68c23a4671a343cb8c
SHA5123d20689b0f39b414349c505be607e6bfc1f33ac401cf62a32f36f7114e4a486552f3e74661e90db29402bb85866944e9f8f31baba9605aa0c6def621511a26af
-
Filesize
38B
MD580f3bcfc6945bb24925c96895b4746b9
SHA134305a706b01c14f079bafcb3df4466d7c4baf02
SHA25638fdbf9e8d4f1e2699def0364c0aa2e99628a23e8e149cc729e3a780507ddbca
SHA51234f4eb128055ae771204f81d0020a0e385d53d055fe42cdb67506b909640517c5142efa3ef2445365303aa0523e089501d2132777d81c1538e321999ffb10767
-
Filesize
181KB
MD50c80a997d37d930e7317d6dac8bb7ae1
SHA1018f13dfa43e103801a69a20b1fab0d609ace8a5
SHA256a5dd2f97c6787c335b7807ff9b6966877e9dd811f9e26326837a7d2bd224de86
SHA512fe1caef6d727344c60df52380a6e4ab90ae1a8eb5f96d6054eced1b7734357ce080d944fa518cf1366e14c4c0bd9a41db679738a860800430034a75bb90e51a5
-
Filesize
189KB
MD5e6fd0e66cf3bfd3cc04a05647c3c7c54
SHA16a1b7f1a45fb578de6492af7e2fede15c866739f
SHA256669cc0aae068ced3154acaecb0c692c4c5e61bc2ca95b40395a3399e75fcb9b2
SHA512fc8613f31acaf6155852d3ad6130fc3b76674b463dcdcfcd08a3b367dfd9e5b991e3f0a26994bcaf42f9e863a46a81e2520e77b1d99f703bcb08800bdca4efcb