Malware Analysis Report

2025-01-02 07:21

Sample ID 240916-wcseja1dnf
Target 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber
SHA256 4994d99b024a69536c6df49657916c91ff00d64d371a27c52be4bf85f45fb037
Tags
floxif backdoor discovery spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4994d99b024a69536c6df49657916c91ff00d64d371a27c52be4bf85f45fb037

Threat Level: Known bad

The file 2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber was found to be: Known bad.

Malicious Activity Summary

floxif backdoor discovery spyware stealer trojan upx

Floxif, Floodfix

Detects Floxif payload

Loads dropped DLL

Reads user/profile data of web browsers

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Executes dropped EXE

Blocklisted process makes network request

Checks installed software on the system

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Browser Information Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-16 17:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-16 17:46

Reported

2024-09-16 17:49

Platform

win7-20240903-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe"

Signatures

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI9C46.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9CC4.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76954e.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI982A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI978D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9A7E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9D42.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76954d.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI98A8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9A00.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9AFC.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9B79.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9C07.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76954e.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76954d.msi C:\Windows\system32\msiexec.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\E3083844-F653-4AEA-83C0-B6704C280507\lite_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\E93922E8-D20F-4E38-95FD-7FFC6E69A675\seederexe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\E2EBC324-FE07-40F6-BBAA-981347BDDCB3\sender.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Users\Admin\AppData\Local\Temp\E93922E8-D20F-4E38-95FD-7FFC6E69A675\seederexe.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\E93922E8-D20F-4E38-95FD-7FFC6E69A675\seederexe.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 1516 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3020 wrote to memory of 1516 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3020 wrote to memory of 1516 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3020 wrote to memory of 1516 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3020 wrote to memory of 1516 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3020 wrote to memory of 1516 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3020 wrote to memory of 1516 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1516 wrote to memory of 1680 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\E3083844-F653-4AEA-83C0-B6704C280507\lite_installer.exe
PID 1516 wrote to memory of 1680 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\E3083844-F653-4AEA-83C0-B6704C280507\lite_installer.exe
PID 1516 wrote to memory of 1680 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\E3083844-F653-4AEA-83C0-B6704C280507\lite_installer.exe
PID 1516 wrote to memory of 1680 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\E3083844-F653-4AEA-83C0-B6704C280507\lite_installer.exe
PID 1516 wrote to memory of 1680 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\E3083844-F653-4AEA-83C0-B6704C280507\lite_installer.exe
PID 1516 wrote to memory of 1680 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\E3083844-F653-4AEA-83C0-B6704C280507\lite_installer.exe
PID 1516 wrote to memory of 1680 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\E3083844-F653-4AEA-83C0-B6704C280507\lite_installer.exe
PID 1516 wrote to memory of 2816 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\E93922E8-D20F-4E38-95FD-7FFC6E69A675\seederexe.exe
PID 1516 wrote to memory of 2816 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\E93922E8-D20F-4E38-95FD-7FFC6E69A675\seederexe.exe
PID 1516 wrote to memory of 2816 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\E93922E8-D20F-4E38-95FD-7FFC6E69A675\seederexe.exe
PID 1516 wrote to memory of 2816 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\E93922E8-D20F-4E38-95FD-7FFC6E69A675\seederexe.exe
PID 2816 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\E93922E8-D20F-4E38-95FD-7FFC6E69A675\seederexe.exe C:\Users\Admin\AppData\Local\Temp\E2EBC324-FE07-40F6-BBAA-981347BDDCB3\sender.exe
PID 2816 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\E93922E8-D20F-4E38-95FD-7FFC6E69A675\seederexe.exe C:\Users\Admin\AppData\Local\Temp\E2EBC324-FE07-40F6-BBAA-981347BDDCB3\sender.exe
PID 2816 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\E93922E8-D20F-4E38-95FD-7FFC6E69A675\seederexe.exe C:\Users\Admin\AppData\Local\Temp\E2EBC324-FE07-40F6-BBAA-981347BDDCB3\sender.exe
PID 2816 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\E93922E8-D20F-4E38-95FD-7FFC6E69A675\seederexe.exe C:\Users\Admin\AppData\Local\Temp\E2EBC324-FE07-40F6-BBAA-981347BDDCB3\sender.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding DCA8DCC2AD9918DB120FC6C938F58327

C:\Users\Admin\AppData\Local\Temp\E3083844-F653-4AEA-83C0-B6704C280507\lite_installer.exe

"C:\Users\Admin\AppData\Local\Temp\E3083844-F653-4AEA-83C0-B6704C280507\lite_installer.exe" --use-user-default-locale --silent --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/

C:\Users\Admin\AppData\Local\Temp\E93922E8-D20F-4E38-95FD-7FFC6E69A675\seederexe.exe

"C:\Users\Admin\AppData\Local\Temp\E93922E8-D20F-4E38-95FD-7FFC6E69A675\seederexe.exe" "--yqs=" "--yhp=" "--ilight=" "--oem=" "--nopin=n" "--pin_custom=n" "--pin_desktop=n" "--pin_taskbar=y" "--locale=us" "--browser=" "--browser_default=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\E2EBC324-FE07-40F6-BBAA-981347BDDCB3\sender.exe" "--is_elevated=yes" "--ui_level=5" "--good_token=x" "--no_opera=n"

C:\Users\Admin\AppData\Local\Temp\E2EBC324-FE07-40F6-BBAA-981347BDDCB3\sender.exe

C:\Users\Admin\AppData\Local\Temp\E2EBC324-FE07-40F6-BBAA-981347BDDCB3\sender.exe --send "/status.xml?clid=9183476&uuid=7e512cfb-18B9-43E3-B357-302BBB5D31f1&vnt=Windows 7x64&file-no=6%0A15%0A25%0A45%0A57%0A59%0A111%0A125%0A129%0A"

Network

Country Destination Domain Proto
US 8.8.8.8:53 clck.yandex.ru udp
RU 87.250.250.14:80 clck.yandex.ru tcp
RU 77.88.21.14:80 clck.yandex.ru tcp
US 8.8.8.8:53 soft.export.yandex.ru udp
RU 87.250.254.20:80 soft.export.yandex.ru tcp

Files

memory/1744-3-0x0000000010000000-0x0000000010030000-memory.dmp

\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

memory/1744-5-0x000000000041F000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi

MD5 db69b41b1827ccc598a416e0d32e4a39
SHA1 acc35592e318c32d0f4ac768f32f1f8243ba230c
SHA256 b5a4c7a05785ac51553953bf951c284ff03a9ac7d1cba15fa391d0b6c7aed5cc
SHA512 d40479e0dd384a99fefbc8a43381dde21b2633320393566ecdb2895fa88008794b996d7fac3ddae102c6dd516cdb3c14e3e52ff7371472cc0894c444a4b4d867

C:\Users\Admin\AppData\Local\Temp\Tar92E2.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\Cab92CF.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\YandexSearch00000.log

MD5 c469cccb63e3452aabf183448df47406
SHA1 a8039b2251cf5464004075546862126f65007d9c
SHA256 a2d1211986607c4cabc78cee7a9617b0f49856ac5733bd3e552e43b28a9b454f
SHA512 84bcdbe61c7bb327b645109c581e1925a40e7a6c6e2b848aeba6328ec10e6b923ce44739ec481a9951437b4e94de0a80f5d8b8b2c58612463e362aba226a70d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee1915bc0f88ac43a42e0ce727a6122b
SHA1 f7100e74480e4f0486bbf2c2270a7a304202d6c5
SHA256 4c63c581b9a12305c9461c3395172aae8db0a6ddd0f9c86a3f1769f99398edab
SHA512 e045967605502aa47f5bd005db80b56ec19d777ab774160c68f4a750ac226d8da0269cb81f20c7e2b8c471e7de5655c717fe9723d0dfe20333b58c5b95513c73

\Windows\Installer\MSI978D.tmp

MD5 0c80a997d37d930e7317d6dac8bb7ae1
SHA1 018f13dfa43e103801a69a20b1fab0d609ace8a5
SHA256 a5dd2f97c6787c335b7807ff9b6966877e9dd811f9e26326837a7d2bd224de86
SHA512 fe1caef6d727344c60df52380a6e4ab90ae1a8eb5f96d6054eced1b7734357ce080d944fa518cf1366e14c4c0bd9a41db679738a860800430034a75bb90e51a5

\Windows\Installer\MSI982A.tmp

MD5 e6fd0e66cf3bfd3cc04a05647c3c7c54
SHA1 6a1b7f1a45fb578de6492af7e2fede15c866739f
SHA256 669cc0aae068ced3154acaecb0c692c4c5e61bc2ca95b40395a3399e75fcb9b2
SHA512 fc8613f31acaf6155852d3ad6130fc3b76674b463dcdcfcd08a3b367dfd9e5b991e3f0a26994bcaf42f9e863a46a81e2520e77b1d99f703bcb08800bdca4efcb

C:\Users\Admin\AppData\Local\Temp\vendor00000.xml

MD5 c528466ba6d4f66966aa31021aa339dc
SHA1 ee953f22f33b25d80cbfe250d64fed4d2da80091
SHA256 546e928b7127a4515b089f0b913078404b664a5df33c928a281888c25b03760f
SHA512 ebd159dbc6f47b6f70e4f47d9de6bc540c86c915c44df7a4dd50c1c6a431303bb06e22382e8a76e9e2399d24263feca64305a74fa4b50314f8b429b141af601c

\Users\Admin\AppData\Local\Temp\E3083844-F653-4AEA-83C0-B6704C280507\lite_installer.exe

MD5 aafdfaa7a989ddb216510fc9ae5b877f
SHA1 41cf94692968a7d511b6051b7fe2b15c784770cb
SHA256 688d0b782437ccfae2944281ade651a2da063f222e80b3510789dbdce8b00fdc
SHA512 6e2b76ff6df79c6de6887cf739848d05c894fbd70dc9371fff95e6ccd9938d695c46516cb18ec8edd01e78cad1a6029a3d633895f7ddba4db4bf9cd39271bd44

C:\Users\Admin\AppData\Local\Temp\E93922E8-D20F-4E38-95FD-7FFC6E69A675\seederexe.exe

MD5 225ba20fa3edd13c9c72f600ff90e6cb
SHA1 5f1a9baa85c2afe29619e7cc848036d9174701e4
SHA256 35585d12899435e13e186490fcf1d270adbe3c74a1e0578b3d9314858bf2d797
SHA512 97e699cffe28d3c3611570d341ccbc1a0f0eec233c377c70e0e20d4ed3b956b6fe200a007f7e601a5724e733c97eaddc39d308b9af58d45f7598f10038d94ab3

C:\Users\Admin\AppData\Roaming\Yandex\ui

MD5 c04df45d070dcac5ae4ec7175808a08b
SHA1 d5738cbfad7bb35b631e3ba3f50f24099bf9ea59
SHA256 b9c342d39d22007c6d4a0e74ff4679aee477f50208a60f944b55e53e82a6bbaf
SHA512 bb4590593b2f4694caeb985e0540396d6b54be25fb7ce83ad0fa7270ea3f710ccd25d8dff9304327719223aa7adf0573b3d8e5c6d5673e305fe9fee6aa0a2287

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 7f660989e24ff4572061bcf5e68c8ef6
SHA1 5c4e99f17c899c2851f8c45f1c114592865bceb5
SHA256 0521c674f681c2ee1eae55066e64131b08fac3a571a1ede27920bee0199cb36c
SHA512 b22e5c7bc353d4c5cbf9c1f26642be232e825f8f9bc3b39bffbc9e9382d671b767f8bba86ef09c2421ae701eca09182002606b47e47424a901c4e23dcd30619d

C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml

MD5 f1083a9453af8796ae5b0df6d4e8ce57
SHA1 2567b4c551c179614d213514bed8ceb20e4f97e8
SHA256 637a4d28261e4819483ca7296cf6b6eb5768e2e82b218a3edca4c007b9941788
SHA512 fd5993494290326be52da2105ca176c588f490fd9c4a98514178a1459887064b6bd09f4e4168dd1a35a2e5e5b58b887cfc0e595e4b1a8e2a79bc93c2ea1cd880

C:\Config.Msi\f76954f.rbs

MD5 dc565893956cb209747a64cc2a0c645d
SHA1 9a063e92cf0f6a49f03bc870ccec184dfc17ecfc
SHA256 d7971fb06425f96d590464d39a1467896433dde26cf7f9bd3b7fc3d90e8956c8
SHA512 d030a56bf5b80fc29129e2bd67c3e1d655f507d268f159713d732a099cbc1f81c9d05024239ef3e2d93fd71e20db042846ffbf5893ad95b63099211ef3e8e103

memory/1744-472-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OMNIJA~1.ZIP

MD5 1d6cfd7db58008d1b44328c5a3a4220c
SHA1 8e8304bfd7a73b9ae8415b6cbd273e612868a2b2
SHA256 915e46dcc29d6fee123c4b8e88d846ac95ffd4a6f4eb956dc882d305ee1b8256
SHA512 4c17160aa83abeff897462f981226902dd6694817ad95f246511fc63c637bdffa0989a3db00c4309fa673a13b4993c509df538ddad482d1be8b4058749ee93f2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.Admin\places.sqlite-20240916174707.759000.backup

MD5 314cb7ffb31e3cc676847e03108378ba
SHA1 3667d2ade77624e79d9efa08a2f1d33104ac6343
SHA256 b6d278384a3684409a2a86f03e4f52869818ce7dd8b5779876960353f7d35dc1
SHA512 dc795fa35ea214843a781ee2b2ef551b91b6841a799bef2c6fb1907d90f6c114071a951ebb7b2b30e81d52b594d447a26ab12ddb57c331e854577d11e5febef5

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks-20240916174707.821400.backup

MD5 3adec702d4472e3252ca8b58af62247c
SHA1 35d1d2f90b80dca80ad398f411c93fe8aef07435
SHA256 2b167248e8136c4d45c2c46e2bff6fb5e5137dd4dfdccde998599be2df2e9335
SHA512 7562e093d16ee6305c1bb143a3f5d60dafe8b5de74952709abc68a0c353b65416bf78b1fa1a6720331615898848c1464a7758c5dfe78f8098f77fbfa924784c0

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Preferences-20240916174707.821400.backup

MD5 af006f1bcc57b11c3478be8babc036a8
SHA1 c3bb4fa8c905565ca6a1f218e39fe7494910891e
SHA256 ed6a32e11cc99728771989b01f5ae813de80c46a59d3dc68c23a4671a343cb8c
SHA512 3d20689b0f39b414349c505be607e6bfc1f33ac401cf62a32f36f7114e4a486552f3e74661e90db29402bb85866944e9f8f31baba9605aa0c6def621511a26af

C:\Users\Admin\AppData\Local\Temp\E2EBC324-FE07-40F6-BBAA-981347BDDCB3\sender.exe

MD5 f1a8f60c018647902e70cf3869e1563f
SHA1 3caf9c51dfd75206d944d4c536f5f5ff8e225ae9
SHA256 36022c6ecb3426791e6edee9074a3861fe5b660d98f2b2b7c13b80fe11a75577
SHA512 c02dfd6276ad136283230cdf07d30ec2090562e6c60d6c0d4ac3110013780fcafd76e13931be53b924a35cf473d0f5ace2f6b5c3f1f70ce66b40338e53d38d1e

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-16 17:46

Reported

2024-09-16 17:49

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe"

Signatures

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
File created \??\c:\program files\common files\system\symsrv.dll.000 C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIA5BF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57a19f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA452.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA482.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA4A2.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57a19f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA2E7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA4E2.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA550.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA346.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA3A4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA432.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{5B964E0E-B9A3-4276-9ED9-4D5A5720747A} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA66C.tmp C:\Windows\system32\msiexec.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\A7A20E76-6C06-4ECA-A344-EAA148A7E26E\sender.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5A8A29E9-78F4-4A1C-B7C2-6BC821FE2A40\lite_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EDA6B66D-D266-4438-889A-EE6D9FA6BB53\seederexe.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Users\Admin\AppData\Local\Temp\EDA6B66D-D266-4438-889A-EE6D9FA6BB53\seederexe.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\EDA6B66D-D266-4438-889A-EE6D9FA6BB53\seederexe.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae0300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd17e00000001000000080000000080c82b6886d7017a000000010000000c000000300a06082b060105050703091d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a07f0000000100000016000000301406082b0601050507030306082b060105050703096200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf690b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520036000000090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff1190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410 C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 5c000000010000000400000000100000190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd10400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410 C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1 C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410 C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410 C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2400 wrote to memory of 3252 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2400 wrote to memory of 3252 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2400 wrote to memory of 3252 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3252 wrote to memory of 5116 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\5A8A29E9-78F4-4A1C-B7C2-6BC821FE2A40\lite_installer.exe
PID 3252 wrote to memory of 5116 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\5A8A29E9-78F4-4A1C-B7C2-6BC821FE2A40\lite_installer.exe
PID 3252 wrote to memory of 5116 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\5A8A29E9-78F4-4A1C-B7C2-6BC821FE2A40\lite_installer.exe
PID 3252 wrote to memory of 1664 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\EDA6B66D-D266-4438-889A-EE6D9FA6BB53\seederexe.exe
PID 3252 wrote to memory of 1664 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\EDA6B66D-D266-4438-889A-EE6D9FA6BB53\seederexe.exe
PID 3252 wrote to memory of 1664 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\EDA6B66D-D266-4438-889A-EE6D9FA6BB53\seederexe.exe
PID 1664 wrote to memory of 6692 N/A C:\Users\Admin\AppData\Local\Temp\EDA6B66D-D266-4438-889A-EE6D9FA6BB53\seederexe.exe C:\Users\Admin\AppData\Local\Temp\A7A20E76-6C06-4ECA-A344-EAA148A7E26E\sender.exe
PID 1664 wrote to memory of 6692 N/A C:\Users\Admin\AppData\Local\Temp\EDA6B66D-D266-4438-889A-EE6D9FA6BB53\seederexe.exe C:\Users\Admin\AppData\Local\Temp\A7A20E76-6C06-4ECA-A344-EAA148A7E26E\sender.exe
PID 1664 wrote to memory of 6692 N/A C:\Users\Admin\AppData\Local\Temp\EDA6B66D-D266-4438-889A-EE6D9FA6BB53\seederexe.exe C:\Users\Admin\AppData\Local\Temp\A7A20E76-6C06-4ECA-A344-EAA148A7E26E\sender.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024091618b5196c49a9611141dd28e90986e4b5floxifmagniber.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding BE5FD16574D12B609296BB07739E492E

C:\Users\Admin\AppData\Local\Temp\5A8A29E9-78F4-4A1C-B7C2-6BC821FE2A40\lite_installer.exe

"C:\Users\Admin\AppData\Local\Temp\5A8A29E9-78F4-4A1C-B7C2-6BC821FE2A40\lite_installer.exe" --use-user-default-locale --silent --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/

C:\Users\Admin\AppData\Local\Temp\EDA6B66D-D266-4438-889A-EE6D9FA6BB53\seederexe.exe

"C:\Users\Admin\AppData\Local\Temp\EDA6B66D-D266-4438-889A-EE6D9FA6BB53\seederexe.exe" "--yqs=" "--yhp=" "--ilight=" "--oem=" "--nopin=n" "--pin_custom=n" "--pin_desktop=n" "--pin_taskbar=y" "--locale=us" "--browser=" "--browser_default=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\A7A20E76-6C06-4ECA-A344-EAA148A7E26E\sender.exe" "--is_elevated=yes" "--ui_level=5" "--good_token=x" "--no_opera=n"

C:\Users\Admin\AppData\Local\Temp\A7A20E76-6C06-4ECA-A344-EAA148A7E26E\sender.exe

C:\Users\Admin\AppData\Local\Temp\A7A20E76-6C06-4ECA-A344-EAA148A7E26E\sender.exe --send "/status.xml?clid=9183476&uuid=1bcb2a9f-7d23-4585-846d-ccf59f867551&vnt=Windows 10x64&file-no=8%0A15%0A25%0A45%0A57%0A59%0A102%0A111%0A125%0A129%0A"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 www.aieov.com udp
US 45.56.79.23:80 www.aieov.com tcp
US 8.8.8.8:53 133.194.101.151.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 23.79.56.45.in-addr.arpa udp
US 8.8.8.8:53 clck.yandex.ru udp
RU 77.88.21.14:80 clck.yandex.ru tcp
US 8.8.8.8:53 soft.export.yandex.ru udp
RU 213.180.193.14:80 clck.yandex.ru tcp
RU 87.250.254.20:80 soft.export.yandex.ru tcp
US 8.8.8.8:53 14.21.88.77.in-addr.arpa udp
US 8.8.8.8:53 14.193.180.213.in-addr.arpa udp
US 8.8.8.8:53 20.254.250.87.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

memory/1980-3-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1980-5-0x000000000041F000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi

MD5 db69b41b1827ccc598a416e0d32e4a39
SHA1 acc35592e318c32d0f4ac768f32f1f8243ba230c
SHA256 b5a4c7a05785ac51553953bf951c284ff03a9ac7d1cba15fa391d0b6c7aed5cc
SHA512 d40479e0dd384a99fefbc8a43381dde21b2633320393566ecdb2895fa88008794b996d7fac3ddae102c6dd516cdb3c14e3e52ff7371472cc0894c444a4b4d867

C:\Users\Admin\AppData\Local\Temp\YandexSearch00000.log

MD5 c914f5b83ed80cb8b93df05637dc6701
SHA1 2f5fcb2daf7bfbc2a8d4f313a95fd2300674547b
SHA256 a732200faff9d4f3e1537d08aa1c5116abf88f540d3f612cc418c9c9beddc850
SHA512 0c17156d9badd83da1ea05a12ce650ee11f2b9da225642ec7cdafca5cf0d9219384225470fb5c01ee4635f092c0a28292fe66e6bb416aef66b65cd344624d7ac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

MD5 e1158894b18f52d33151e37e5f9648d6
SHA1 f9d13b45ac50ac2811fca3f381f2ea4647d75c7a
SHA256 233f2b250918c7d7015c373b5ca163c0efeb8bc46aa285742a5fe21a53e78bcd
SHA512 5eb7f3547501363ebc53e36eca4f80abe72bf4c62451be6918f1f8270b43a10e8bcfef122ec1c04927c48971f5e49c811057a51c38eadcc617d1830e205c05cb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_394487CAFBCFB8C5917AD7A10924C8A7

MD5 891b1beb45c53a0b6d367668cf940bda
SHA1 9fb59590131a924f28dbac1fc3fca2d6b149b716
SHA256 9255a65b809b158171b6c4c0ae11e28220e84bc63e5982d06e12134e886177be
SHA512 7ce8635c9fc8a3183e5493073b82777e984f291f566b4ae2822b8578045fc583de3b7b9d0c55f846897fd439174304911bc215a41c3943bd878f478ac9a23577

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

MD5 9301f8b08f4a50edfdcb00222eff6d38
SHA1 3572b7930dc0d057b9ce3da8f2e3ae55c6e8d1d8
SHA256 daf5a7b210974af392bc4b1f5b525f4780b1861dd80418a15743e09d1c1e4e9c
SHA512 371aa39b2c49599fbb72ffd66abaeb612204e9c95054b0c236b925365a48480e35a93c097967ac5960aa97f881940fb262fdc51d5305eaa0aeeeaf33040b3cf6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_394487CAFBCFB8C5917AD7A10924C8A7

MD5 41abbf43f4ffb8d6fd44c6cc1d0df535
SHA1 06ea5ccc2d8fdd9c3de05a127fa27a36eea5352d
SHA256 baf69982271ba57e8b845dd473e465e0ce54836af8c46078c3cdba4c908066c7
SHA512 ec6225202f9b3d30bc7a63edbbd6b02ded1d610de2293aabbb8a3a2930dad23c8f4795ba41dedd68fe0657f0fa7cfb55594665b9aad6d77a77e932453aea38b5

C:\Windows\Installer\MSIA2E7.tmp

MD5 0c80a997d37d930e7317d6dac8bb7ae1
SHA1 018f13dfa43e103801a69a20b1fab0d609ace8a5
SHA256 a5dd2f97c6787c335b7807ff9b6966877e9dd811f9e26326837a7d2bd224de86
SHA512 fe1caef6d727344c60df52380a6e4ab90ae1a8eb5f96d6054eced1b7734357ce080d944fa518cf1366e14c4c0bd9a41db679738a860800430034a75bb90e51a5

C:\Windows\Installer\MSIA346.tmp

MD5 e6fd0e66cf3bfd3cc04a05647c3c7c54
SHA1 6a1b7f1a45fb578de6492af7e2fede15c866739f
SHA256 669cc0aae068ced3154acaecb0c692c4c5e61bc2ca95b40395a3399e75fcb9b2
SHA512 fc8613f31acaf6155852d3ad6130fc3b76674b463dcdcfcd08a3b367dfd9e5b991e3f0a26994bcaf42f9e863a46a81e2520e77b1d99f703bcb08800bdca4efcb

C:\Users\Admin\AppData\Local\Temp\vendor00000.xml

MD5 c528466ba6d4f66966aa31021aa339dc
SHA1 ee953f22f33b25d80cbfe250d64fed4d2da80091
SHA256 546e928b7127a4515b089f0b913078404b664a5df33c928a281888c25b03760f
SHA512 ebd159dbc6f47b6f70e4f47d9de6bc540c86c915c44df7a4dd50c1c6a431303bb06e22382e8a76e9e2399d24263feca64305a74fa4b50314f8b429b141af601c

C:\Users\Admin\AppData\Local\Temp\5A8A29E9-78F4-4A1C-B7C2-6BC821FE2A40\lite_installer.exe

MD5 aafdfaa7a989ddb216510fc9ae5b877f
SHA1 41cf94692968a7d511b6051b7fe2b15c784770cb
SHA256 688d0b782437ccfae2944281ade651a2da063f222e80b3510789dbdce8b00fdc
SHA512 6e2b76ff6df79c6de6887cf739848d05c894fbd70dc9371fff95e6ccd9938d695c46516cb18ec8edd01e78cad1a6029a3d633895f7ddba4db4bf9cd39271bd44

C:\Users\Admin\AppData\Local\Temp\EDA6B66D-D266-4438-889A-EE6D9FA6BB53\seederexe.exe

MD5 225ba20fa3edd13c9c72f600ff90e6cb
SHA1 5f1a9baa85c2afe29619e7cc848036d9174701e4
SHA256 35585d12899435e13e186490fcf1d270adbe3c74a1e0578b3d9314858bf2d797
SHA512 97e699cffe28d3c3611570d341ccbc1a0f0eec233c377c70e0e20d4ed3b956b6fe200a007f7e601a5724e733c97eaddc39d308b9af58d45f7598f10038d94ab3

C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml

MD5 f1083a9453af8796ae5b0df6d4e8ce57
SHA1 2567b4c551c179614d213514bed8ceb20e4f97e8
SHA256 637a4d28261e4819483ca7296cf6b6eb5768e2e82b218a3edca4c007b9941788
SHA512 fd5993494290326be52da2105ca176c588f490fd9c4a98514178a1459887064b6bd09f4e4168dd1a35a2e5e5b58b887cfc0e595e4b1a8e2a79bc93c2ea1cd880

C:\Users\Admin\AppData\Local\Temp\tmp1664aaaaaa

MD5 fefc3d677388386c29d8720c15b9db3f
SHA1 370f1f40ae5c652d87b3b8f42e67d827af2b1754
SHA256 74d5e8d3cd8d659d8df8e6f306832dfc252e1a6e676bb60334e31b5943deb4fb
SHA512 b462ca1ffb0798bedc39c945daa75ff73e0efbb1c6dfdb262e6b2936158933f514f0b4169e811069df11aaeaebd39c826ce0caf9f6eb6d77de249fca6abe39fe

C:\Config.Msi\e57a1a0.rbs

MD5 b9c0200932c380cc01db0dc8ab4a6252
SHA1 bfa3841893eb761cdd15563b8bfb52a8cae72836
SHA256 8be55f52c75145d77d7c75e8f007056cd4a5f831acfdb789493ce8fb86f20263
SHA512 fc0e55ea57ea17284be54ee22f96e4014776174186bf72bc1a9abfb05514612a6b49cf6f9e8c4188382773adeb95220aaa0b7a72aa8eb3248072ab077d8653fe

memory/1980-226-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\omnija-20244716.zip

MD5 c5750fc92569e781bd36bdcc8215aa4c
SHA1 4c9a2b4b4da46de31c27120c76a8f74d410cba17
SHA256 eeb36cbca086fc67b9eb6946db764d8d2940a0dc22b2cea28c0d77e4d1e3ed78
SHA512 602a26fce9bd2f6b724a7e741191c611cbcbff5fbde616123379cea6a4b8fd629cbdf6d2b2314324d38d8c96b7fe6a57416d93d46b29d35388d0dad9147946f7

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ldjzjqt.Admin\places.sqlite-20240916174709.218969.backup

MD5 314cb7ffb31e3cc676847e03108378ba
SHA1 3667d2ade77624e79d9efa08a2f1d33104ac6343
SHA256 b6d278384a3684409a2a86f03e4f52869818ce7dd8b5779876960353f7d35dc1
SHA512 dc795fa35ea214843a781ee2b2ef551b91b6841a799bef2c6fb1907d90f6c114071a951ebb7b2b30e81d52b594d447a26ab12ddb57c331e854577d11e5febef5

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks-20240916174709.359592.backup

MD5 3adec702d4472e3252ca8b58af62247c
SHA1 35d1d2f90b80dca80ad398f411c93fe8aef07435
SHA256 2b167248e8136c4d45c2c46e2bff6fb5e5137dd4dfdccde998599be2df2e9335
SHA512 7562e093d16ee6305c1bb143a3f5d60dafe8b5de74952709abc68a0c353b65416bf78b1fa1a6720331615898848c1464a7758c5dfe78f8098f77fbfa924784c0

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Preferences-20240916174709.359592.backup

MD5 af006f1bcc57b11c3478be8babc036a8
SHA1 c3bb4fa8c905565ca6a1f218e39fe7494910891e
SHA256 ed6a32e11cc99728771989b01f5ae813de80c46a59d3dc68c23a4671a343cb8c
SHA512 3d20689b0f39b414349c505be607e6bfc1f33ac401cf62a32f36f7114e4a486552f3e74661e90db29402bb85866944e9f8f31baba9605aa0c6def621511a26af

C:\Users\Admin\AppData\Local\Temp\A7A20E76-6C06-4ECA-A344-EAA148A7E26E\sender.exe

MD5 f1a8f60c018647902e70cf3869e1563f
SHA1 3caf9c51dfd75206d944d4c536f5f5ff8e225ae9
SHA256 36022c6ecb3426791e6edee9074a3861fe5b660d98f2b2b7c13b80fe11a75577
SHA512 c02dfd6276ad136283230cdf07d30ec2090562e6c60d6c0d4ac3110013780fcafd76e13931be53b924a35cf473d0f5ace2f6b5c3f1f70ce66b40338e53d38d1e

C:\Users\Admin\AppData\Roaming\Yandex\ui

MD5 80f3bcfc6945bb24925c96895b4746b9
SHA1 34305a706b01c14f079bafcb3df4466d7c4baf02
SHA256 38fdbf9e8d4f1e2699def0364c0aa2e99628a23e8e149cc729e3a780507ddbca
SHA512 34f4eb128055ae771204f81d0020a0e385d53d055fe42cdb67506b909640517c5142efa3ef2445365303aa0523e089501d2132777d81c1538e321999ffb10767