c0180ab08a632ea62fe121cc4d36b5d92857ca18c7cbc063849d07b2cc4b62a4

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
31/10/2023, 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b66ce35796756741b46d1663fb5c191514233b2fdd00f1bd44e127deb4f26be3.exe
Size

389KB
MD5

7e40b2f75e86fde0f345cf53e96a7090
SHA1

3c0acefc3c4d452449fa5efa7a2d3167f71ca9e0
SHA256

b66ce35796756741b46d1663fb5c191514233b2fdd00f1bd44e127deb4f26be3
SHA512

10546997570c02ad1b8fdba0d089676787a464d5e7436c633c3e4272348abdbd464fa9344644ed260a18f5cd41a0b4abdb0a9a37453ea4d803bc1fd8f3df84e8
SSDEEP

12288:FvHOmh9159ZWAnMmcLVxzXlTsJ3w4mGjrtDLhzjeq:5Z15FnvcJxzRsxXmGf5Lh3

Score

8^/10

spyware stealer upx

Malware Config

Signatures

Downloads MZ/PE file
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1676-0-0x0000000001280000-0x00000000012E1000-memory.dmp	upx
behavioral1/memory/1676-118-0x0000000001280000-0x00000000012E1000-memory.dmp	upx
behavioral1/files/0x0006000000015eba-174.dat	upx
behavioral1/files/0x0006000000015eba-181.dat	upx
behavioral1/memory/2972-183-0x00000000035D0000-0x0000000003631000-memory.dmp	upx
behavioral1/files/0x0006000000015eba-185.dat	upx
behavioral1/files/0x0006000000015eba-186.dat	upx
behavioral1/memory/2848-214-0x0000000000150000-0x00000000001B1000-memory.dmp	upx
behavioral1/memory/2848-335-0x0000000000150000-0x00000000001B1000-memory.dmp	upx
behavioral1/memory/2848-405-0x0000000000150000-0x00000000001B1000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\qipcap64.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\freebl3.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\xul.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nss3.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsd33BF.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\libEGL.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\lgpllibs.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\ipcclientcerts.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaultagent.ini	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Accessible.tlb	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\xul.dll.sig	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nssckbi.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozavutil.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe.sig	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozavcodec.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsd33BF.tmp\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozwer.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.ini	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\tobedeleted\nsd985D.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\d3dcompiler_47.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\AccessibleHandler.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\softokn3.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.ini	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\omni.ja	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\application.ini	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsd33C1.tmp\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozglue.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_70.png	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_150.png	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-string-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\vcruntime140.dll	setup-stub.exe

Executes dropped EXE 3 IoCs

pid	Process
2972	setup-stub.exe
2848	download.exe
2976	setup.exe

Loads dropped DLL 12 IoCs

pid	Process
1676	b66ce35796756741b46d1663fb5c191514233b2fdd00f1bd44e127deb4f26be3.exe
2972	setup-stub.exe
2972	setup-stub.exe
2972	setup-stub.exe
2972	setup-stub.exe
2972	setup-stub.exe
2972	setup-stub.exe
2972	setup-stub.exe
2972	setup-stub.exe
2972	setup-stub.exe
2848	download.exe
2976	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "404925068"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e1e81ecbc95de49994f369c3e71718400000000020000000000106600000001000020000000fcdeeeb39bb6da3f8aa500023e5cbd5b076e59c1769a8d17c266631274d55341000000000e8000000002000020000000c54d49950b98897a6c3baf034a7109ea23bc2339b8fc11b48d20f203d62827d090000000fd8d5ee6eb8775ed73a51bac7bd45eb0403f05d650008aac31148a6187e854c3b4f6bde3a71b4a67195a7bfa6f3e7cad96e589c12ddd555d15d0fb4817a144e383386db54b3802dd4718b74247b32745895bca3853fe9d7e2ea67996a2f84cc269a6b9f5c97cd3494e665368a2c0a031616e7a6fdcc0f387217d26ada9e58ad1b3e6cf1465f33d1d644376cdbefc13f640000000fcb7a788734bb9eb67c4a465a08e35771849460c7eb1b4cdaaab1a592490e11e110647b00fde8627843f39580a54b0cf176d1ccbc96c2f8cd472de719a8d4a45	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e1e81ecbc95de49994f369c3e7171840000000002000000000010660000000100002000000053f09eafd17b3305dd0db077969407cc3ec445399aa9c4a25b874ddda1a0167e000000000e80000000020000200000004eadc26499eb7f0955e1018aa6f79f4990aa98cff033c859e8320d7534c1259c200000006b5f34997f32be35419f94f2d4eea0e0a8bcf2e370a42086c0e65e5b4e9fefb34000000047291e8748eeb4d6221fd7db8b33da058e78e19f39507a12fb62335479d666da5cb258973e2f7bf8e5f6fe4c2531bc5a3992a140aceacd22ec2511ccd290734b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 302d8d34080cda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main	setup-stub.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5E1725C1-77FB-11EE-B692-C2ECF17AA700} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	setup-stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	setup-stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup-stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup-stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	setup-stub.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2972	setup-stub.exe
3068	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2972	setup-stub.exe
2972	setup-stub.exe
3068	iexplore.exe
3068	iexplore.exe
2544	IEXPLORE.EXE
2544	IEXPLORE.EXE
2544	IEXPLORE.EXE
2544	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 2972	1676	b66ce35796756741b46d1663fb5c191514233b2fdd00f1bd44e127deb4f26be3.exe	28
PID 1676 wrote to memory of 2972	1676	b66ce35796756741b46d1663fb5c191514233b2fdd00f1bd44e127deb4f26be3.exe	28
PID 1676 wrote to memory of 2972	1676	b66ce35796756741b46d1663fb5c191514233b2fdd00f1bd44e127deb4f26be3.exe	28
PID 1676 wrote to memory of 2972	1676	b66ce35796756741b46d1663fb5c191514233b2fdd00f1bd44e127deb4f26be3.exe	28
PID 1676 wrote to memory of 2972	1676	b66ce35796756741b46d1663fb5c191514233b2fdd00f1bd44e127deb4f26be3.exe	28
PID 1676 wrote to memory of 2972	1676	b66ce35796756741b46d1663fb5c191514233b2fdd00f1bd44e127deb4f26be3.exe	28
PID 1676 wrote to memory of 2972	1676	b66ce35796756741b46d1663fb5c191514233b2fdd00f1bd44e127deb4f26be3.exe	28
PID 2972 wrote to memory of 2848	2972	setup-stub.exe	30
PID 2972 wrote to memory of 2848	2972	setup-stub.exe	30
PID 2972 wrote to memory of 2848	2972	setup-stub.exe	30
PID 2972 wrote to memory of 2848	2972	setup-stub.exe	30
PID 2848 wrote to memory of 2976	2848	download.exe	33
PID 2848 wrote to memory of 2976	2848	download.exe	33
PID 2848 wrote to memory of 2976	2848	download.exe	33
PID 2848 wrote to memory of 2976	2848	download.exe	33
PID 2848 wrote to memory of 2976	2848	download.exe	33
PID 2848 wrote to memory of 2976	2848	download.exe	33
PID 2848 wrote to memory of 2976	2848	download.exe	33
PID 2976 wrote to memory of 3068	2976	setup.exe	34
PID 2976 wrote to memory of 3068	2976	setup.exe	34
PID 2976 wrote to memory of 3068	2976	setup.exe	34
PID 2976 wrote to memory of 3068	2976	setup.exe	34
PID 3068 wrote to memory of 2544	3068	iexplore.exe	35
PID 3068 wrote to memory of 2544	3068	iexplore.exe	35
PID 3068 wrote to memory of 2544	3068	iexplore.exe	35
PID 3068 wrote to memory of 2544	3068	iexplore.exe	35

C:\Users\Admin\AppData\Local\Temp\b66ce35796756741b46d1663fb5c191514233b2fdd00f1bd44e127deb4f26be3.exe
"C:\Users\Admin\AppData\Local\Temp\b66ce35796756741b46d1663fb5c191514233b2fdd00f1bd44e127deb4f26be3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\AppData\Local\Temp\7zSC86C1D36\setup-stub.exe
  .\setup-stub.exe
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Users\Admin\AppData\Local\Temp\nso3361.tmp\download.exe
    "C:\Users\Admin\AppData\Local\Temp\nso3361.tmp\download.exe" /LaunchedFromStub /INI=C:\Users\Admin\AppData\Local\Temp\nso3361.tmp\config.ini
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Users\Admin\AppData\Local\Temp\7zS02B8A886\setup.exe
      .\setup.exe /LaunchedFromStub /INI=C:\Users\Admin\AppData\Local\Temp\nso3361.tmp\config.ini
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.mozilla.org/firefox/system-requirements/
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3068
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3068 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
ce25de012b2eea5d3ed209702cec2d33

SHA1
efe2f308c8edd667121fd80956bf465ae3c63216

SHA256
d00f3958bb67ef73e241014c0886121bb037f0878e7e21c9c58e2c7dfec78968

SHA512
5547b0b8eb4c0e2d0c30a1373fd2f8069947451b9559973c90b9d8fd495c4cad5eaae062e81953ffcd8e4898063a1cff981ab8294743222fa9b496f0e2b9b9fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e670d89b1730520ce452286f13900b7c

SHA1
704f7ea38a4184b15bbfa1756fbeff4a8bfe5168

SHA256
0d0ff0a6bf57822d0a6f5affb6e493e44adb8c82412ee5370c7b6aa7803899c2

SHA512
bdb8c53e27e893f5a7544c0a6cb8284b4132969e534d91ac3ea005f0b0002ce7063970e67fa9af74dc7942594aae44ff0675056a2507467feb260017a066fb68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8e282eb66ba3e1401ecc92e131537591

SHA1
39ffd4edd1dd228655781fde46ece88518ddd07f

SHA256
80f4f8f262341ffbdf1bd8264bb0c1c2ef78bbf91567c671632d58bc0c30e202

SHA512
823b2e296b913ef29bec4e44f698321b69aaab913e70f96dddf23929d7b18e7bf7145135fccdd8e0e000d5b780f86013ade06af17235cd57a3acf359e7ea6faa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ed4189c6a0ab71482660bf0721477955

SHA1
31850cb4b9050597cd8b19d02907b233c85aafee

SHA256
e559ecb99158738137506681d541cf725e729a270dee2b89859f5f6592039fd4

SHA512
01846593095fa08d4398902ef65e36539c9785fb95fd99d3250da375b738f940572bb522daa438d999b90b33cf17628ee3806b236d93bf4c2a5bb1c02871faed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bfd449f8842dfd80baff8e4b4c07be07

SHA1
1960cd90c0290b4686e7ba8a3cfc771db1a13744

SHA256
d3fc41322c090ba6ff59f4cebd34baa95fc33ba73d7a6c55b7fc8b040bafc93c

SHA512
e7ac55ae7ea7938c791b44a57d84e72acade569936d0dbc3bf3c37ed9e972c8ac892ee20946baad31c30b2e8d4bcc775de19b24afe1aa2c7124bae00efccf1ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
03b33768d140d7e9fc37231320a01a9c

SHA1
0253f35ed28718ee81a295082276c3c2aad291d0

SHA256
a09113be99ce81877a36bac0491867a1b5214aa45eb3a92387f819fce572c64b

SHA512
9d06f5edad500afdb4ea958d1fa21c5179b0f5d741c67bee7eaa1391bf6620cf545de03162fe6ada75d58bef6fb4615f83c0410a09a0fe4b5decea253d0b21f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2b99690425d5b651e2dc73a62484bff6

SHA1
f5745e7ba228ddd954e96bccf11b151e905d50a0

SHA256
c562dcdefc9170e4b915c8e719fd911e596a2e6dcc017f69b391b2f81894ad81

SHA512
789b81f47cd618ead4ef834987ce8f39225668dbac43bbfeadaa48a817527172b620bba456ad508c04af9d288e56d2d4ec39702d16f948b63ad3a71ebbe7e98d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8c460aeff6a160cf0e91a03583e66e44

SHA1
9d7bc812b1f335e2ddb9cba0b2e41410f754625f

SHA256
62a54b475629bdf164acb46c74c879e9d56fc1f2e0bc97840eb022551dd3d9c1

SHA512
663dac617482302383427f481c6c67bff8e8a067df9a100b3069d90d7acbe6e45dea9bbe09d51c4cd86c12b6f239b6b1f25daac11cd6b5e8d2903f86adcebad1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9c180c796a578ff6200e33d010698423

SHA1
0d3a2dc1f75e225eae10538936580bf0ff8c5c74

SHA256
c33e765a67edc210f1fff4d342cbdbbd8d772a36f170a622664c2a213dae74d4

SHA512
dd4779ce7b28fccf94af0e66bb89613a2592713f998ddf6f14ba88c8885a386176c6182594966b18b18c3757f1db7ad565c029cbb4dc2f030628c0bf32089ebc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cf63bfe03a1f9fd4babeeecf6d49c7cf

SHA1
c301bf7c55af3307ac267d1ae5dfa637e86786b9

SHA256
f1b964393c651026cd09a48ea19fe995d87c7390f0961e9e6c766e48534b0d22

SHA512
ca3e6db46a7ecee3a957ec5faac3a0f3ff86adb331da5472258ef2aca6cab55a52dcd7dfb8110dabc8bde6cedec1292cf3e47ff84ffe52246813f3e9264afe4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
159479ebdf14054d9dc3c731430273fb

SHA1
d3fce18276004817273c01fac58b0d72698b74a5

SHA256
249890dd028d27396ffad924108db426e860dec11eb51d1111c361f7d8538d59

SHA512
7ea4a120f76b44ded38446b1ae707d7550821bdb6a10015b21b860193e53d3243b9388cf09a398e6b93a42fbb6df2ffba3afd74577d0eb0f13a5c05a7ea6d206

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0f8c1de36dbc23da3a36a0b77cbd4aaf

SHA1
7e49587241fcc8a7a3887de03f2aca430cf5e85c

SHA256
85206e6162ccecb92500c3d518d5b5354bee744a706125f5da56e29c0780f812

SHA512
e17958ff5f5ab43bd098e6665fc450ef013cb1624958d320c6a46aa1479e63afb9c5c56878a31504e4c4b5af8e32909201fe11bfdeedc33cdf1c35f9a4a87a37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a08ad12e2d454eb4bea9b68233613632

SHA1
463ce0a7a3f2912e0fc210f21aa55aa777aee032

SHA256
37204b457914f46268115c003ae0d2f9d40c007170a07f1062e70945a4f8faf7

SHA512
6486e6771437699c082f4b4c02952132796d298830c3c6d421f81b2f1f1f4a5dc06ce1a224a48ad580e7b043a45f994265657b3f09f6512084a52565dcb83876

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8e282eb66ba3e1401ecc92e131537591

SHA1
39ffd4edd1dd228655781fde46ece88518ddd07f

SHA256
80f4f8f262341ffbdf1bd8264bb0c1c2ef78bbf91567c671632d58bc0c30e202

SHA512
823b2e296b913ef29bec4e44f698321b69aaab913e70f96dddf23929d7b18e7bf7145135fccdd8e0e000d5b780f86013ade06af17235cd57a3acf359e7ea6faa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
54f1549be0de585b8e4ae3e1f3c0cff2

SHA1
3756970a19c518953e90d42da154ac084a9f2df4

SHA256
dadd66232d3e2b860d588634d2850bc195e3ac71f49e25454b9e8b373392d6db

SHA512
7557f27e30502bfc00a052ab2577696efdcf26884a15f62aa6f01f5f3d0c4c906cb7fe1eb7bc9e2e030834ff0c31e407b6613b045ba25bcd1bc7d23a3c8b48da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
31f5a1511f13777478e549741d1ddf2c

SHA1
9f298f544dfb92c9fe4a95578e5e8463d8fbc2f1

SHA256
4ce89848bef52e2892361bd20c79aeb65c0afb13fe0c4831061e139f21ae0032

SHA512
3b6f3a48d23599f385cf5ea01f45044c0c3f15eab71639004577482f232bd950fa5a2a2955c2a8cbaa76a386621d0820c4ecc747f9cd163bc54d42866f5d9be4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2eb8e9f8d23ce7b82eff6a20b07b0cbb

SHA1
786a5015fa42c6a496144a38f5c2f772a8bb11dd

SHA256
defec7a40c9c7f3bff2e05545ac3778eb39de567eac8599078f3f32c1ef0dbff

SHA512
c2a8c1119ba6b4eb00a9210958ada84e703b54bcaa89534be054a40013913e9ca6bf677d35991f0482c4ac708c3af82c8b08660232e94b5697ddf8968381b498

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
906cb4c7d8816baefe3e65dbdf02c4c7

SHA1
fc90ee3387e84405b9274d33639b7e65a8989386

SHA256
e2e3c67f22654f55ff21af087de206aa6016e54ec315de4ef3a28eb4da75b307

SHA512
f2965582a5fe5560a0eb403018bd1f1231652d062ff915b11ae4aa21d477ba5c2eca53cd86c0eefb6117e77e33e64fbd5e9c588939da58e4058ea64a4999a11a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
211c457725cbd202c22c07a0b56360cd

SHA1
59437521dfc30c845282d814fe6139e163d71bb9

SHA256
3f90aedc5b46ec8bce685910f14af64ab6c516918186ddb776c9c91ce0b3dfc2

SHA512
23f45b21d5a9f425b2428561e34094a49d8d62c12ddd4d7fbd6a9244c02c1db5a25eb8ade8907ae844594924c1fd9618423cac366799c38a13afe2fe0d1d5dfa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f70de9b02ecea9cb6d963a81601643b8

SHA1
1154020c50609d423147c95859f169555b0b864c

SHA256
afaf75794f435714002fb4e538ca328e486b6ba83b3aa6dd7d633ff5527be1d6

SHA512
a8a347f15cfb7c1fc0741f1df892aa1979e8e90cca32c8b178b86e09241046c30912ca6f73b2d77eff7e93d67f26d459dd11469981622896aa767660eebecb43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
63bf9712018a29b48e98ff21772d39b1

SHA1
ef31cab875cb165f7b7e2f7b8a5d0ffe338d5e52

SHA256
d7afb475818678dd3334ca469ca15164680c0671a09441f5ffd56578324c4c10

SHA512
02953008a03bfea479d558aeb19681f5da0659faa952fa1f96427e8914b2c2756dac2efa43fdfdb88884479b43e33bd80e4dba2b5c1d29cd7cbff6156368c8f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
afba5213a1f712b5dabca966998254cd

SHA1
3eae053371a5406a4609f57c3ed7c498cdc7b96a

SHA256
2b042ce672d67e70c729626fd180b251a2aef432cceee53f2c7b96a78355b702

SHA512
b5b19dee619ec5a2e36a5c3080433f8b974da8cd17dc1070ad45b0d2378813e4420f9b0f55c7e24bde176fbe34ca6a8640efd248cf80fd19d7f525ace6da5bca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b73fe1d88c9a076fed7b66393f0baaab

SHA1
2aa80131d497a35f67d768a534fb2cc5bdb15b1d

SHA256
398b2b6058aef9ff00e3c4251dfb693b66ce4b90b7746f8a11521fd545286d92

SHA512
d33af2e77be17a0c27d4c9d4adb647d58e7cbfd74d6819dda434aef9cf35b1c3d4561e3a26738cda40f54bf8f765ab42fff141eeabfe537561cf3e3c95e1566e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f3bb4f7e4d16d78541a2672bf98090a8

SHA1
49c56ac644fd3e1e122eedc3c40a3d9bf3de0bf5

SHA256
c4015dae99eccc0bd945bfdae1504f782f27bc8ae2cf0ca3d15bfccaa5515a20

SHA512
0a2fc5c0097b087c1b11228786a596175a980b5bc316f222ba8ca6a6d221c37a86000c1044dbf552dc9a8e63ef51ad74a9a9280096c92fb1624f751893aeddfa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eb96751ef03e3157aaa006849b6d914b

SHA1
8e9d19b009feecdb198a4b2ae6a6e69d722ca011

SHA256
f41a56009a4f6014eb18cb1e4af0c313ac29dfab25c04dd4bc57fa28ee45c4b6

SHA512
ee27c8ab6ce981eb593941c9d98582a690de6a9ba35710170ab7ed49101ab7f796f6bb8cf58cb85fb254808b7d5f05aad4721665ce0a0a856ba3fd3bba16359d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
519f8c5af50b6bdf4417bea5aa41eaa1

SHA1
2cec1eeb60b7a5d72ba411800da101986f407719

SHA256
04fbcc7fa5e0ad369271d7ddf957188800b11800558d9b5e01edb14353211785

SHA512
d2e78f2636495e85b94a77f20774189cb1d9c8bcf7602a64cf83f11d5689b6846153ab71dd26d52fa4781df9e460f1a0ae5403bdbd2ce40568a9f1a4b63c3fbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
96c5f01351b40f7287c5c310f6e94c85

SHA1
629c5e6647e4972375e6c7beff3df43f9caba4bc

SHA256
f15d70996aa0019e4c46e183cee096686c27afb5dd51c10eacae1d73b45c780c

SHA512
b74fa1986474907054da23ccb09b5bccd127a3f6ea5cc26cd9947f0e8355b2ca5c10e60e0bcf157a814c442faee1de6495e687d8c35a4cdd4fda2873f1d2b5d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\pagsbca\imagestore.dat

Filesize
8KB

MD5
1908545f224bd1d742fac516299d2059

SHA1
815ffcf60c8b29fc894f4f4236e37bd271710f6a

SHA256
908a75c80169f49a60051b850606cda6f56d06a54908ab44ffe064844b53c8c1

SHA512
e14c7937e4d17f3471bf07e1376852c7e2f102ae0f01bc764d68cad261711df28cf88d38b62e0b872147f07da8b043298ca4f03bfea9d9313d8d3c9cfb2d7f44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9G8QJ0N4\favicon-196x196.59e3822720be[1].png

Filesize
7KB

MD5
59e3822720bedcc45ca5e6e6d3220ea9

SHA1
8daf0eb5833154557561c419b5e44bbc6dcc70ee

SHA256
1d58e7af9c848ae3ae30c795a16732d6ebc72d216a8e63078cf4efde4beb3805

SHA512
5bacb3be51244e724295e58314392a8111e9cab064c59f477b37b50d9b2a2ea5f4277700d493e031e60311ef0157bbd1eb2008d88ea22d880e5612cfd085da6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS02B8A886\setup.exe

Filesize
939KB

MD5
feb954828345ef268b32350f03b6ebf7

SHA1
66958242ff3544659749c93108c327353ed34de7

SHA256
72f9f572c4ac5dc934d5555e409475353a95d032c00c791546d2ab9c91a50df6

SHA512
89d6a9b1ba9b6b789935dfe837cba8caea20e5774f4ade1c0371403e2600f968d6a899e56e2f310ab1aff89aee5ef1e59a6440caea708f70009dc1fab9071fc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS02B8A886\setup.exe

Filesize
939KB

MD5
feb954828345ef268b32350f03b6ebf7

SHA1
66958242ff3544659749c93108c327353ed34de7

SHA256
72f9f572c4ac5dc934d5555e409475353a95d032c00c791546d2ab9c91a50df6

SHA512
89d6a9b1ba9b6b789935dfe837cba8caea20e5774f4ade1c0371403e2600f968d6a899e56e2f310ab1aff89aee5ef1e59a6440caea708f70009dc1fab9071fc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC86C1D36\setup-stub.exe

Filesize
551KB

MD5
117cd045562fe512e6375b68af0b7480

SHA1
70fabd822d3a50154703daaa54b5128f7f90af96

SHA256
5463813eca42cb1c8d189e116e116787b38037c9fbd2a0dbf370b4b2567bbb8f

SHA512
88163cdc6db9920bd24ae476bd41e8f059865aa1662d49e957c37374fce857fe7e2a0029d9d5082d58e79a82a4e84d73e10e87f022747684e72cc77f5e372de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC86C1D36\setup-stub.exe

Filesize
551KB

MD5
117cd045562fe512e6375b68af0b7480

SHA1
70fabd822d3a50154703daaa54b5128f7f90af96

SHA256
5463813eca42cb1c8d189e116e116787b38037c9fbd2a0dbf370b4b2567bbb8f

SHA512
88163cdc6db9920bd24ae476bd41e8f059865aa1662d49e957c37374fce857fe7e2a0029d9d5082d58e79a82a4e84d73e10e87f022747684e72cc77f5e372de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3BFF.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3C6F.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso3361.tmp\CertCheck.dll

Filesize
15KB

MD5
aed814f87d862cb5ceb00fd0a6d60fb8

SHA1
097418e9181e6b4d95f40410cd4dd962fe27c41b

SHA256
d56e2407b6050d669e94e452f1a54ee1859a1751179a3f1e2b4253305a23a0cf

SHA512
69593e12efe0736ada5a9e1b6f3c238a6434b88068361dfd2f7bb3e50addbf9b56ccaee30321362ce085ea700fbab03bae8494bba8c72e9e9983d3faa569b3d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso3361.tmp\InetBgDL.dll

Filesize
17KB

MD5
97c607f5d0add72295f8d0f27b448037

SHA1
dfb9a1aa1d3b1f7821152afaac149cad38c8ce3c

SHA256
dc98ed352476af459c91100b8c29073988da19d3adc73e2c2086d25f238544a5

SHA512
ad759062152869089558389c741876029198c5b98fa725e2d2927866dc8b416ae2de871cb2479f614f6d29b6f646bf7191d02837c3cabc15b8185b563bc46268

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso3361.tmp\UserInfo.dll

Filesize
14KB

MD5
610ad03dec634768cd91c7ed79672d67

SHA1
dc8099d476e2b324c09db95059ec5fd3febe1e1e

SHA256
c6c413108539f141bea3f679e0e2ef705898c51ec7c2607f478a865fc5e2e2df

SHA512
18c3c92be81aadfa73884fe3bdf1fce96ccfbd35057600ef52788a871de293b64f677351ba2885c6e9ce5c3890c22471c92832ffc13ba544e9d0b347c5d33bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso3361.tmp\WebBrowser.dll

Filesize
103KB

MD5
b53cd4ad8562a11f3f7c7890a09df27a

SHA1
db66b94670d47c7ee436c2a5481110ed4f013a48

SHA256
281a0dc8b4f644334c2283897963b20df88fa9fd32acca98ed2856b23318e6ec

SHA512
bb45d93ed13df24a2056040c219cdf36ee44c8cddb7e178fdaabcec63ac965e07f679ca1fa42591bba571992af619aa1dc76e819a7901709df79598a2b0cef81

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso3361.tmp\download.exe

Filesize
55.1MB

MD5
15f8b95a441a4df50eb01ff6b8403ef7

SHA1
fa647b0b183c733a321c96c93229f8906241e56d

SHA256
bce0dc828af01d35ac533842a6b443c72f4ae4edcfb90712bf9eb3db7f851f7a

SHA512
9bdc8bd01a2fd679c0d34f07b6c9a432bc1d149a2e446c642e98b6fc017acc8e1d53c763a954f897cc1fb251355fb02a51229553432a040c3107a8864a3c1aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso3361.tmp\download.exe

Filesize
55.1MB

MD5
15f8b95a441a4df50eb01ff6b8403ef7

SHA1
fa647b0b183c733a321c96c93229f8906241e56d

SHA256
bce0dc828af01d35ac533842a6b443c72f4ae4edcfb90712bf9eb3db7f851f7a

SHA512
9bdc8bd01a2fd679c0d34f07b6c9a432bc1d149a2e446c642e98b6fc017acc8e1d53c763a954f897cc1fb251355fb02a51229553432a040c3107a8864a3c1aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso3361.tmp\download.exe

Filesize
55.1MB

MD5
15f8b95a441a4df50eb01ff6b8403ef7

SHA1
fa647b0b183c733a321c96c93229f8906241e56d

SHA256
bce0dc828af01d35ac533842a6b443c72f4ae4edcfb90712bf9eb3db7f851f7a

SHA512
9bdc8bd01a2fd679c0d34f07b6c9a432bc1d149a2e446c642e98b6fc017acc8e1d53c763a954f897cc1fb251355fb02a51229553432a040c3107a8864a3c1aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso3361.tmp\installing.html

Filesize
1KB

MD5
32de55f44c497811dd7ed7f227f5c28d

SHA1
c111be08e7f3d268e7a2ed160d0c30833f25ae4a

SHA256
6259f3a41a703f13466503e6fbd37ca40e94f565a2f4b4087fbcd87a13bf3ee1

SHA512
48bb6f24b3ee2f4b7052205a3843ea34f917ee192b70261d2438c037b0e17d48bce8beb4c31be4141e9618922a45b6b47745b797e5618f18fe00bfc1625309ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso3361.tmp\installing.js

Filesize
2KB

MD5
dfa7861bca754036ab853b3bb02b194d

SHA1
46d7c5ba614b39caa4857fcba4bdedbabb2c67c0

SHA256
2c286b6eefd38f032a385f3ac6a1f794deab3bac0fbff71bd0ba21453f477878

SHA512
c58d96fb2496a84261a5e4b18cf4156a30f9ad161bbabc3652b6b5c24976f1ac432dced31927a9443260cdca0292524d1f691766b7c0731f926d37be11fe0c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso3361.tmp\stub_common.js

Filesize
817B

MD5
58b8ac894c64370cfa137f5848aeb88d

SHA1
6a1ac1f88a918a232b79fe798b2de69cf433945f

SHA256
0e28aa770b0afade30be85c6dc1e50344db8f8cdd3fa01989d81a9e20a4990bd

SHA512
ae309518e0f926021e4d9378950c1a375263247d4f79d8a8cc09464cd01653ae5e707d52a4b0c36d532e649c246f4be6b5ba8648f58fb0e3e40c495ae63180ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstE34E.tmp\System.dll

Filesize
22KB

MD5
b361682fa5e6a1906e754cfa08aa8d90

SHA1
c6701aee0c866565de1b7c1f81fd88da56b395d3

SHA256
b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04

SHA512
2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

Download Submit
\Users\Admin\AppData\Local\Temp\7zS02B8A886\setup.exe

Filesize
939KB

MD5
feb954828345ef268b32350f03b6ebf7

SHA1
66958242ff3544659749c93108c327353ed34de7

SHA256
72f9f572c4ac5dc934d5555e409475353a95d032c00c791546d2ab9c91a50df6

SHA512
89d6a9b1ba9b6b789935dfe837cba8caea20e5774f4ade1c0371403e2600f968d6a899e56e2f310ab1aff89aee5ef1e59a6440caea708f70009dc1fab9071fc1

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC86C1D36\setup-stub.exe

Filesize
551KB

MD5
117cd045562fe512e6375b68af0b7480

SHA1
70fabd822d3a50154703daaa54b5128f7f90af96

SHA256
5463813eca42cb1c8d189e116e116787b38037c9fbd2a0dbf370b4b2567bbb8f

SHA512
88163cdc6db9920bd24ae476bd41e8f059865aa1662d49e957c37374fce857fe7e2a0029d9d5082d58e79a82a4e84d73e10e87f022747684e72cc77f5e372de4

Download Submit
\Users\Admin\AppData\Local\Temp\nso3361.tmp\CertCheck.dll

Filesize
15KB

MD5
aed814f87d862cb5ceb00fd0a6d60fb8

SHA1
097418e9181e6b4d95f40410cd4dd962fe27c41b

SHA256
d56e2407b6050d669e94e452f1a54ee1859a1751179a3f1e2b4253305a23a0cf

SHA512
69593e12efe0736ada5a9e1b6f3c238a6434b88068361dfd2f7bb3e50addbf9b56ccaee30321362ce085ea700fbab03bae8494bba8c72e9e9983d3faa569b3d2

Download Submit
\Users\Admin\AppData\Local\Temp\nso3361.tmp\CityHash.dll

Filesize
53KB

MD5
2021acc65fa998daa98131e20c4605be

SHA1
2e8407cfe3b1a9d839ea391cfc423e8df8d8a390

SHA256
c299a0a71bf57eb241868158b4fcfe839d15d5ba607e1bdc5499fdf67b334a14

SHA512
cb96d3547bab778cbe94076be6765ed2ae07e183e4888d6c380f240b8c6708662a3b2b6b2294e38c48bc91bf2cc5fc7cfcd3afe63775151ba2fe34b06ce38948

Download Submit
\Users\Admin\AppData\Local\Temp\nso3361.tmp\InetBgDL.dll

Filesize
17KB

MD5
97c607f5d0add72295f8d0f27b448037

SHA1
dfb9a1aa1d3b1f7821152afaac149cad38c8ce3c

SHA256
dc98ed352476af459c91100b8c29073988da19d3adc73e2c2086d25f238544a5

SHA512
ad759062152869089558389c741876029198c5b98fa725e2d2927866dc8b416ae2de871cb2479f614f6d29b6f646bf7191d02837c3cabc15b8185b563bc46268

Download Submit
\Users\Admin\AppData\Local\Temp\nso3361.tmp\System.dll

Filesize
22KB

MD5
b361682fa5e6a1906e754cfa08aa8d90

SHA1
c6701aee0c866565de1b7c1f81fd88da56b395d3

SHA256
b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04

SHA512
2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

Download Submit
\Users\Admin\AppData\Local\Temp\nso3361.tmp\UAC.dll

Filesize
28KB

MD5
d23b256e9c12fe37d984bae5017c5f8c

SHA1
fd698b58a563816b2260bbc50d7f864b33523121

SHA256
ec6a56d981892bf251df1439bea425a5f6c7e1c7312d44bedd5e2957f270338c

SHA512
13f284821324ffaeadafd3651f64d896186f47cf9a68735642cf37b37de777dba197067fbccd3a7411b5dc7976e510439253bd24c9be1d36c0a59d924c17ae8e

Download Submit
\Users\Admin\AppData\Local\Temp\nso3361.tmp\UserInfo.dll

Filesize
14KB

MD5
610ad03dec634768cd91c7ed79672d67

SHA1
dc8099d476e2b324c09db95059ec5fd3febe1e1e

SHA256
c6c413108539f141bea3f679e0e2ef705898c51ec7c2607f478a865fc5e2e2df

SHA512
18c3c92be81aadfa73884fe3bdf1fce96ccfbd35057600ef52788a871de293b64f677351ba2885c6e9ce5c3890c22471c92832ffc13ba544e9d0b347c5d33bfd

Download Submit
\Users\Admin\AppData\Local\Temp\nso3361.tmp\UserInfo.dll

Filesize
14KB

MD5
610ad03dec634768cd91c7ed79672d67

SHA1
dc8099d476e2b324c09db95059ec5fd3febe1e1e

SHA256
c6c413108539f141bea3f679e0e2ef705898c51ec7c2607f478a865fc5e2e2df

SHA512
18c3c92be81aadfa73884fe3bdf1fce96ccfbd35057600ef52788a871de293b64f677351ba2885c6e9ce5c3890c22471c92832ffc13ba544e9d0b347c5d33bfd

Download Submit
\Users\Admin\AppData\Local\Temp\nso3361.tmp\WebBrowser.dll

Filesize
103KB

MD5
b53cd4ad8562a11f3f7c7890a09df27a

SHA1
db66b94670d47c7ee436c2a5481110ed4f013a48

SHA256
281a0dc8b4f644334c2283897963b20df88fa9fd32acca98ed2856b23318e6ec

SHA512
bb45d93ed13df24a2056040c219cdf36ee44c8cddb7e178fdaabcec63ac965e07f679ca1fa42591bba571992af619aa1dc76e819a7901709df79598a2b0cef81

Download Submit
\Users\Admin\AppData\Local\Temp\nso3361.tmp\download.exe

Filesize
55.1MB

MD5
15f8b95a441a4df50eb01ff6b8403ef7

SHA1
fa647b0b183c733a321c96c93229f8906241e56d

SHA256
bce0dc828af01d35ac533842a6b443c72f4ae4edcfb90712bf9eb3db7f851f7a

SHA512
9bdc8bd01a2fd679c0d34f07b6c9a432bc1d149a2e446c642e98b6fc017acc8e1d53c763a954f897cc1fb251355fb02a51229553432a040c3107a8864a3c1aa6

Download Submit
\Users\Admin\AppData\Local\Temp\nstE34E.tmp\System.dll

Filesize
22KB

MD5
b361682fa5e6a1906e754cfa08aa8d90

SHA1
c6701aee0c866565de1b7c1f81fd88da56b395d3

SHA256
b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04

SHA512
2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

Download Submit
memory/1676-118-0x0000000001280000-0x00000000012E1000-memory.dmp

Filesize
388KB

Download
memory/1676-0-0x0000000001280000-0x00000000012E1000-memory.dmp

Filesize
388KB

Download
memory/2848-405-0x0000000000150000-0x00000000001B1000-memory.dmp

Filesize
388KB

Download
memory/2848-335-0x0000000000150000-0x00000000001B1000-memory.dmp

Filesize
388KB

Download
memory/2848-214-0x0000000000150000-0x00000000001B1000-memory.dmp

Filesize
388KB

Download
memory/2972-215-0x00000000035D0000-0x0000000003631000-memory.dmp

Filesize
388KB

Download
memory/2972-183-0x00000000035D0000-0x0000000003631000-memory.dmp

Filesize
388KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads