ce7a4fde03511062e18803fd19af93b8df6fec2a2256a3eb9e6ddce9e0abb5ca

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea99a31f195d75b746eefb152975fd2a_JaffaCakes118.exe
Size

365KB
MD5

ea99a31f195d75b746eefb152975fd2a
SHA1

b45cb7145be4cd8e9d440207481db6ff69ce6399
SHA256

ce7a4fde03511062e18803fd19af93b8df6fec2a2256a3eb9e6ddce9e0abb5ca
SHA512

30b7a01bb6978ec454431e1c6b70707a295a43c686594ac327a1613bfa8592bb3de929e6674ca47ae057b7ad73449bda86a1455eb0f9df2ab4b080f4ce0add6c
SSDEEP

6144:hGyG/jjaLwFjfmeCOzTiwWfaOKytqaCIkCud5mViltzLMPJm2iS7d:h3GaUFj+eCOzpWfa7yrCBkVoRLMRyS7d

Score

8^/10

persistence spyware stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
2716	RChXPAjxZMpJJyH.exe
2152	CTS.exe
2584	setup-stub.exe
2088	download.exe
268	setup.exe

Loads dropped DLL 14 IoCs

pid	Process
2060	ea99a31f195d75b746eefb152975fd2a_JaffaCakes118.exe
2716	RChXPAjxZMpJJyH.exe
2584	setup-stub.exe
2584	setup-stub.exe
2584	setup-stub.exe
2584	setup-stub.exe
2584	setup-stub.exe
2584	setup-stub.exe
2584	setup-stub.exe
2584	setup-stub.exe
2584	setup-stub.exe
2584	setup-stub.exe
2088	download.exe
268	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2060-0-0x0000000001200000-0x0000000001217000-memory.dmp	upx
behavioral1/files/0x000c0000000122c3-2.dat	upx
behavioral1/files/0x000b000000014a92-10.dat	upx
behavioral1/memory/2716-17-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2060-16-0x0000000001200000-0x0000000001217000-memory.dmp	upx
behavioral1/memory/2152-20-0x00000000000E0000-0x00000000000F7000-memory.dmp	upx
behavioral1/memory/2716-236-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/files/0x0006000000018b27-277.dat	upx
behavioral1/memory/2088-290-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	ea99a31f195d75b746eefb152975fd2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\qipcap64.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_150.png	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\xul.dll.sig	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\lgpllibs.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-processthreads-l1-1-1.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\IA2Marshal.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Accessible.tlb	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nst3BBD.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozglue.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\application.ini	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaultagent_localized.ini	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\ucrtbase.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\platform.ini	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\ipcclientcerts.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-convert-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\dependentlibs.list	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nssckbi.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nst3BBE.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nst3BBC.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_70.png	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\d3dcompiler_47.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.ini	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\softokn3.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\xul.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaultagent.ini	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\osclientcerts.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\notificationserver.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozavcodec.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozavutil.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\vcruntime140.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\freebl3.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll	setup-stub.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	ea99a31f195d75b746eefb152975fd2a_JaffaCakes118.exe
File created	C:\Windows\CTS.exe	CTS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 206d2bf51c8bda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418897779"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007823eddbcee3e149bc4db86b21295af600000000020000000000106600000001000020000000eb8184266f742ec361f9612685c076d865d83543749016fcd071634415baac08000000000e80000000020000200000002e2db82dbac148bcf8be163cfb75eef6b6739b27a2cc9d9a0bbfe290dd9075c29000000080b0684b39368d778fd4f8f2235c80d85c71e46fe95483536091f49de58f4d8eb2c74da064ed4a247d16aba7918e0e19b35d69d10255c3f930ac10c907752e8393400eb6bee1b54008fd9787466e939d5b2c75d92df49f3aa2136309ce58786dfd91cc03846d9742884d9edf723e361b2e24d7a43a8ffcbeb067d03b78863418aac0da05cd81a50efbff4d985894261440000000de177d7911d48e9b28070c9baf738ba7fdd755ea52071355e59e94934d001dbfc893dcf6966ef19a85f476e69d78ffe9b431a5e7e499c5beb5d14ea6260bc142	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1F0BE251-F710-11EE-A49B-FA5112F1BCBF} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007823eddbcee3e149bc4db86b21295af600000000020000000000106600000001000020000000e5c377fcb952a3aff5242bcf8f56340c0339a4d0c6ef7eb0f15f012b12426dc8000000000e8000000002000020000000442ec81851d6aeb8b5f24980403d54a701b55653bee3639174d428c7657a314520000000a83059ba97488def0883b603a5239c29dceb37a04302476a0fd1e8a35a24aa0540000000d803b939b4586f5c0732c523e741da7d1b4029316b4c8cfdf7ac82e50664215462deefa1605da4f7d2e1edc49c2a8824e34b0de2c7555b005457d6392df4330f	iexplore.exe

Modifies system certificate store 2 TTPs 15 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	setup-stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	setup-stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup-stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	setup-stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup-stub.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2060	ea99a31f195d75b746eefb152975fd2a_JaffaCakes118.exe
Token: SeDebugPrivilege	2152	CTS.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2584	setup-stub.exe
332	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
332	iexplore.exe
332	iexplore.exe
972	IEXPLORE.EXE
972	IEXPLORE.EXE
972	IEXPLORE.EXE
972	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2716	2060	ea99a31f195d75b746eefb152975fd2a_JaffaCakes118.exe	28
PID 2060 wrote to memory of 2716	2060	ea99a31f195d75b746eefb152975fd2a_JaffaCakes118.exe	28
PID 2060 wrote to memory of 2716	2060	ea99a31f195d75b746eefb152975fd2a_JaffaCakes118.exe	28
PID 2060 wrote to memory of 2716	2060	ea99a31f195d75b746eefb152975fd2a_JaffaCakes118.exe	28
PID 2060 wrote to memory of 2152	2060	ea99a31f195d75b746eefb152975fd2a_JaffaCakes118.exe	29
PID 2060 wrote to memory of 2152	2060	ea99a31f195d75b746eefb152975fd2a_JaffaCakes118.exe	29
PID 2060 wrote to memory of 2152	2060	ea99a31f195d75b746eefb152975fd2a_JaffaCakes118.exe	29
PID 2060 wrote to memory of 2152	2060	ea99a31f195d75b746eefb152975fd2a_JaffaCakes118.exe	29
PID 2716 wrote to memory of 2584	2716	RChXPAjxZMpJJyH.exe	30
PID 2716 wrote to memory of 2584	2716	RChXPAjxZMpJJyH.exe	30
PID 2716 wrote to memory of 2584	2716	RChXPAjxZMpJJyH.exe	30
PID 2716 wrote to memory of 2584	2716	RChXPAjxZMpJJyH.exe	30
PID 2716 wrote to memory of 2584	2716	RChXPAjxZMpJJyH.exe	30
PID 2716 wrote to memory of 2584	2716	RChXPAjxZMpJJyH.exe	30
PID 2716 wrote to memory of 2584	2716	RChXPAjxZMpJJyH.exe	30
PID 2584 wrote to memory of 2088	2584	setup-stub.exe	33
PID 2584 wrote to memory of 2088	2584	setup-stub.exe	33
PID 2584 wrote to memory of 2088	2584	setup-stub.exe	33
PID 2584 wrote to memory of 2088	2584	setup-stub.exe	33
PID 2088 wrote to memory of 268	2088	download.exe	34
PID 2088 wrote to memory of 268	2088	download.exe	34
PID 2088 wrote to memory of 268	2088	download.exe	34
PID 2088 wrote to memory of 268	2088	download.exe	34
PID 2088 wrote to memory of 268	2088	download.exe	34
PID 2088 wrote to memory of 268	2088	download.exe	34
PID 2088 wrote to memory of 268	2088	download.exe	34
PID 268 wrote to memory of 332	268	setup.exe	36
PID 268 wrote to memory of 332	268	setup.exe	36
PID 268 wrote to memory of 332	268	setup.exe	36
PID 268 wrote to memory of 332	268	setup.exe	36
PID 332 wrote to memory of 972	332	iexplore.exe	39
PID 332 wrote to memory of 972	332	iexplore.exe	39
PID 332 wrote to memory of 972	332	iexplore.exe	39
PID 332 wrote to memory of 972	332	iexplore.exe	39

C:\Users\Admin\AppData\Local\Temp\ea99a31f195d75b746eefb152975fd2a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea99a31f195d75b746eefb152975fd2a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\RChXPAjxZMpJJyH.exe
  C:\Users\Admin\AppData\Local\Temp\RChXPAjxZMpJJyH.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\7zSC9ACB526\setup-stub.exe
    .\setup-stub.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Modifies system certificate store
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Users\Admin\AppData\Local\Temp\nsi3B2D.tmp\download.exe
      "C:\Users\Admin\AppData\Local\Temp\nsi3B2D.tmp\download.exe" /INI=C:\Users\Admin\AppData\Local\Temp\nsi3B2D.tmp\config.ini
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2088
    - - C:\Users\Admin\AppData\Local\Temp\7zS8283B656\setup.exe
        
        .\setup.exe /INI=C:\Users\Admin\AppData\Local\Temp\nsi3B2D.tmp\config.ini
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:268
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.mozilla.org/firefox/system-requirements/
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:332 CREDAT:275457 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:972
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
2KB

MD5
df406a63231be355e1397fd8827304a5

SHA1
8a241b1a25b91cd3a758d53e85e21cd4d94e30ad

SHA256
b616c570cdc98118566918c4d713feea7488867fa610b7e6c26ff7d7bca8d49c

SHA512
fb032dcd05d9fe1199c20ba9b43f1451db6b77adb35ce0d7223efe9c7014c6e96b8cd4a8371b0c1c14e727ef75de4753e54927d1ce9c1098fbcb6f8d32a77896

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
1KB

MD5
5b5d8df379e39cb99c2ef322d231ea91

SHA1
9e0428be41a3c549b42db3fe4afb4cc2b2c9eae0

SHA256
c4bfe55fb3b21a28a4fe4fdf088a7f87eca5d67c09bb62d60abc46025f7c15e3

SHA512
5ea0101b0d1b38a31bd52905d8e83fc1964905f6595fc1992b25be29519093a51131adceed43cbae8298b4b397fb6de5107b8c114beca63bf6dca9bbcfb544aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
a8e4f4ee770d696f40e110176209312c

SHA1
41b58bd970557b2c82156cad22e9c31facf9d2f7

SHA256
bb5108949435cd20146d120dd09570c2c2e37c7555d233e03d1919a5b48ff4a5

SHA512
9a24fb301f599b534060f715e0be83240cd2d073e542151c80e1d704d39e30ba331380ceabe5b6c571c4bc57772434015f172602cf30f5127f68e00c83e6d0b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7bae0e2d2fbfc26691f2c7fa2822079c

SHA1
d7456d45cdbd8d8250ec9bdd6503b252bb630a33

SHA256
b59107f7cdbc80f529bdd3327dcbd2059504a2b4253541ba2aaa0f60629b06eb

SHA512
1192e49b1959bf87173147aeab67f6ffde6ad40194875eb55f58b3fd95ed8b4e915a43fc2ac029e76365c98c31d91f929e9b7b907cce979adc75687078d01727

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f9308dd27c8de10b99fa67926100aa06

SHA1
305d03e5f22229ae489919442341362e678a9063

SHA256
b03fb352a53f55dadb386cd729b635f395aa241e63b1567a201c1c7262976ef1

SHA512
fefc5ef957904c03d5255dfaf5184f7724a272ca6bd7f94a1ff1bcaba2fd8ccdf767eb0c2297bd0cb4691a41d59d98fa0ac82a36ba7593f724692aa125d3a23b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6cfaf32dbd93d9856cf623ffd787af62

SHA1
738c052dcb13c11766c24747e5d880023d0ea98f

SHA256
260ae3c8fb8bdf550ff50d8063ed93820176fbf0e401feec957d43c4c14040ef

SHA512
5987c15e804a90be51177ab43ef66f3c18e1bd4f03cda4dd1f811e55ef6df8dfbe04d637a90c8a454dbad93067c504640bd6a710dfbad235445b0714e5c1586b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
070251124cedbcab977ea2c48603d517

SHA1
62b3fead4f400846ece1c440147f41deeac84e33

SHA256
91012db826c474c96e15cc1a4117092dfffbc9ff987bf8321b1e801fc3b7d46d

SHA512
339a210453ebd051277ab517faab59bde8d84278b5984ca27743e02e2a425adf84fff0b9e99f222b3afe5bc35da90a624b6477986f821048054fbe34c76bb7a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
708152cf26899b4c37e5e3efe6948c54

SHA1
2eb4cea778a035b6f24a6db65f8642a73b0d606e

SHA256
ce36fbd80fd2339976fff07af0aaac6cedd9b58d058f415e8030a57a55642ccf

SHA512
9af4fb5d32dd1218da83a0b8ef17761d36fdcd67c36f11efc92a5f243653319fa382e2637c751cf95b443156ab38277694ac7b896bf5b3621da659cf2e6c13b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1ac068a12ed086696b0c987ea9ef463a

SHA1
aa46adc0a56e2f01d00c64fd75ed3da36416566f

SHA256
c39c9cff32c94cd5dcc414db7e2d96a47b2e5bd6f94c8b3c38520dee1f83651c

SHA512
7da730d10910e2ca0b3460992c1aa8221d058ae9f75f7a0487eefcd14a1c63c04033011a7bfac86dc2e345c5032aa04929a70bcd640075b4c390b0b4d7a322c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2785bceb37ddca558c93d901845b2cb8

SHA1
f3dba5747dc483b925db1648f80c8ef402027960

SHA256
ae22b6442a7e49622b4cfa2ad1420301409629a211e28ca8d9862a8f75b6aafa

SHA512
cee9563a0dd89ff6767c9d5069fbbb0b59b5d77be2cee4b493692ca1a09291f3ed4bda1d62e8a70923022d21f2a35694b419068754acb940cedd1f1c1cbeb139

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ae7c77199bbf43d2475086084bbefb0c

SHA1
5dca9499d4117ecb142ae7efd5177eb5c6324ebf

SHA256
65e1921a408d50f18e5099ecdea344b6a1c38f7bdb1d10a8321a24bce3353d84

SHA512
4c36a75e7a27125157fc6600945ff42da7db52a77ec3f06ced7c3e54b8f4fd48acaddea6d98fca8bec097753fcb23fd2833232810fa2afadd2f23ebe3b4e8ac1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5db23c4e622c3fcda7ffca8734ffabd9

SHA1
1233ce27562c77e79a13058242c16b8a28b98e63

SHA256
d77b8be86e99603685f9dfc2e9d161996ccce5b73ec5f1f655f0b0369ea4c80d

SHA512
efd34066ed6cdc7ed93de1f0ae35a989be047d12ee051117470cacee071173162b267d4d4b58c62fd78181c857fefc5d4866a04151718ac81878538fc4cdbfee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
63997dce0661b9aadb6e8236c3321496

SHA1
4569c6918bb4307e825a943ca9ff6da4b2d134a2

SHA256
3b9dd13a7a36d0c5d592e1e8af81235816bddfa61c27794abbec321c9a3604b0

SHA512
60c2c7f2eaba349202c84e2ef40bd8f000c0d24d12fbc46305151ae3cf14c65bc645ff31617fa52a54ff4cbc3095b685eacccb3e7153ccb42a419fe68f4d1a81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ee4e36fc4592f7c43cd6e6efc124775c

SHA1
217a221247e50174d6877d1c5185a3a688cd8042

SHA256
8b7564a57cc9ed9469d7b7dfb343920d4ca6ac75c3706f4de162c97d0d899055

SHA512
eea5b93e95578d30bd41fab82f093ed8f0f675d0bff259a260550a64bdd60e76ec36273be86098f460660d5444368f0d9a8cb5d9b5184d6cda4498f18801ed56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8329e621e9df243b7821f0fc8a56b38d

SHA1
962b7e08d515973038960eef59548bea4a96bd8b

SHA256
cf8d6492884709680550aeb46a9e50d99168cd1f85b2dbe06a829ff5d922d132

SHA512
04be1051be69c95c99c391b1ed9ec887afc475905a81d7a42f5df078786a117689acb8a5402a311c835216f42fab4e2ce257d413408306b4875bbb54cab8d767

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
69692aeb0f508a48b575207d108205e8

SHA1
25736477d2f5add6e228d0c7e46646e48cfe8808

SHA256
9b952d6d191f364116bba494aacef40858831ecd952a583a609883b180272a50

SHA512
01f1410df874868ad8f74b6b7329bb18cc031543b17cca58ba6627dffc617d1118b77d5f6dfd3ff6534675ddcb3180b3f37ed73e3b87919c972a9ec8565e280e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a01fe1fb1c86597c2304762be236ecab

SHA1
3956a2648ddded2e9cf823a62da50937a0de610a

SHA256
4dbc63f719922ec6699fdddf04ccb778ec0be842d9e7b6e10de5dc10b0e23939

SHA512
add4870ad7e70e44abf7369ca93c3bdea162fef6ca0fda02404408a81e29fedc3c5224c4a2530c04eaf79e1ae9314aac12bcf33a1af3ecd98f199dc5f81d58d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ae73816f4b4a6c65303dae85e917d8bc

SHA1
e81964ca7585fc30d18c3f1730786c7f10be166b

SHA256
2581af6411db130686fa96cdb2d29a39a0503c75f2da77d294930aa8112a419a

SHA512
00a98aa276415fcc0dda06ac6f0bdd9e07b29fd6cb9b074d257ec3f7ccd7844d6cb76e3bd1ea660beefaac9c077390e8edb95a931bc4e8b67085847a47bd5a36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
075b5907d5ac9d04b021a99d60a2b164

SHA1
79b8ecb5d29b77fa4b9c1b2340e77815eb09f558

SHA256
74b6a1f69cdcf27b65a77a77860c2b04c66bef76b33aa9b7b435f57a46b591e7

SHA512
e2118a8fc5c3118b61b7264c0584a6c04fc0263976ab45e35e643e33ef5889ed474ec3ade24a3f964aa987e08a2f4b2b455851b7db758119e96fd680aaa6e5cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f78078d1d2fd7824d26cc4a07a9a404d

SHA1
379f13a1997c6c4411ed595fbcd25d218fd20ccd

SHA256
517945bdf462a17e55b052165944049dfa178fc7f68e72ef3fa7a8a07897bb97

SHA512
a9680f53a9e74f1f8b24b55ad2abca07b7dd0fa01a237babe0ead6623e282481dbc3f49cac1b4f274efa78b9e5520af373da3fa2eefbc3be0fafc391f871af7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6fff6e6aefe0f22fc2cba6f0fde0ad6e

SHA1
94f3407d133817cf69384fe4f5f0cf8b2f844bc0

SHA256
abff456fce4bd2b9a8ad74874d7a0231fc7f5d1c75e8eef9446f310e0ab9098d

SHA512
9246cbf074a362c037c3374f75249bfd8c8a44399e9cc0fc5d8897c9dd75de481c5a152b4ad9ea20cc9e7d4a1462b2fb994c7614acb2eb70377ddef6e77f2833

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2402218a73246cbb87e70d066aea620e

SHA1
8b256edf69db2f18b3c167de9bbf43ca01d21eec

SHA256
7dff413fcdff14b014d194a389b91744c6524d8b91df47b9c3c1ff3f92b99c27

SHA512
711c0a821fb5e183740027f4dbcf4f207482cd80041a66b4ad5e04d33229a21be3f0b88dde1ba4d8ca210e8728c9abc805b36cfc2b092501f8d26f237948a15b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ec951648ac317d8c4001e50919d87031

SHA1
1e348efabcde29d19bf712e9e73d02b1c3dcd331

SHA256
30cea5765a919be33a61eb50e0de01b8e1517530683a4716606c2396bc34bd2e

SHA512
4ad77a85194ab847d387b016f90c10d06ab7cefdea2ebddce501dd131a82368c1bd26f2df235f0925a47813a43d4c4f336127872191cd2dd09ee6f1f1053aad6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0fb84cf0e5903f24696b7d0c355382e8

SHA1
5d8a7c4c04f6dddde713c4d15632b2570f9262e1

SHA256
90eefb6a6aecb9db17311ac265da7c476f830ad57303d0e57a4b11e996235392

SHA512
f07b0202fdc0ed97f91a0509d5abdd74c54441ad27f4626ac07618977e1d03ac819e49735300993db99aa88a3e04109f0dfcaed6f0488000b610504ed43b9356

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f9237b38cf95c009e93a1d4211750582

SHA1
2ae5a34698dff7886412a1e2997453acd30ef313

SHA256
bf3a9ee094f9de721d26bd0467c05c9926bcbd18b1a12213d7f85b93b809c19b

SHA512
0a3778305cabaf0955089d792195cb33ac9f671a10b288d744745a2cc34c1aae1ec977a31d0eae5d92486022994a82a04b5b186a0fad177e48542412029aea67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
f459ea59a7db864675900160f40573ee

SHA1
39328ff4cdfbbfdc0b2202da9f3c27f4ffe9cd9c

SHA256
e1426444e315791a17a5ec360241f208684a5eab5240969aba51d83b9600d37c

SHA512
f1ce80a77d422267c351f42bb7f1933296b46b9ef588c5ac34296f264ff287558a60e7545fc4a58a83e9c041c5f0ba61c5b10998fabb37b6ee595abfdad19e41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
432B

MD5
81ed9f96eb6a0f9d5572ed057b2167b2

SHA1
830a8f443307337279bf8f6b07516d229446af94

SHA256
6b4002f64aa91225506aca1c42f7f249cfdbdee9be85b11a73a477a823cd47d4

SHA512
035e39d180caa926fba722e9b8d0c5c36a0d4153e13d5e59313b995f5eef14270bb244170fc98100dcd1ce833ef68693853fad37b88971d765f709ad7d560ff6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
5bf760fb00ac282de11d6aeda0f28917

SHA1
0b38405be263bf07ef0242e21658e69ce99089ce

SHA256
3b3fdae284fc09cc1331a3900e2a5c9a447b619e298fb68bb369e8146b5c2ade

SHA512
b731fc838f41a26c1cb3c6516294efbce85e0c97640eaa609fa1cff3bcca81ff8e81b40462b485eebf09d44f441442c9d4b185ea8abbe755120d1da0b1de7c89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\l63kubb\imagestore.dat

Filesize
8KB

MD5
48b4d635cf25a474d62a2e42a10b797b

SHA1
3c19d2f8d2f3e116477c737bd50622da771d9e70

SHA256
f84e6df7659828e4b07a3602aefbd4310c562756b8f740a0e02868f3e3d12f42

SHA512
3711df91ed4b3baf191f106b0e5feb4cc5060cfd122c5989cf455fc612d26460e2ae320cb0ef5e612e35cc6f56178a4ecaa6a2fbfd4fb1c26277687d1ddfb2e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K224YIDM\favicon-196x196.59e3822720be[1].png

Filesize
7KB

MD5
59e3822720bedcc45ca5e6e6d3220ea9

SHA1
8daf0eb5833154557561c419b5e44bbc6dcc70ee

SHA256
1d58e7af9c848ae3ae30c795a16732d6ebc72d216a8e63078cf4efde4beb3805

SHA512
5bacb3be51244e724295e58314392a8111e9cab064c59f477b37b50d9b2a2ea5f4277700d493e031e60311ef0157bbd1eb2008d88ea22d880e5612cfd085da6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar41DE.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi3B2D.tmp\config.ini

Filesize
187B

MD5
ed23468cb20f1f37a967eb26f639faef

SHA1
5707e3d394b6a3e36e8b1e23317ec115bafa1e9c

SHA256
812217f840657b7d310c406d7224eb1c339079ad48541d922e3f15f1b2e3d913

SHA512
9a7d3073b2d7d234eee56464df7b58be4466171c3cad47ebf0d4742c0ed05555ac890a18991ef59bf8b0751a207ea04f86a728fe3b0cb19607b9f6e4f45e76f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi3B2D.tmp\download.exe

Filesize
57.8MB

MD5
1e27e7745bba839a11fde43ee09614fb

SHA1
8ea7d0013e5f4327adef0384427f14adf8d2e9e6

SHA256
3d60842520fdca462a8c9e3c998eb2e3a267dc801af1100953910038b0da0906

SHA512
bce358d57a36bc1d9326f944b7aa3b3f59c3174b8a5d4c7e2ee7b4fe90b1ac3cfb49e79ffb68564359680f6920cf32ac889252aff2a13424bc252d412504f40e

Download Submit
C:\Windows\CTS.exe

Filesize
59KB

MD5
5efd390d5f95c8191f5ac33c4db4b143

SHA1
42d81b118815361daa3007f1a40f1576e9a9e0bc

SHA256
6028434636f349d801465f77af3a1e387a9c5032942ca6cadb6506d0800f2a74

SHA512
720fbe253483dc034307a57a2860c8629a760f883603198d1213f5290b7f236bf0f5f237728ebed50962be83dc7dc4abe61a1e9a55218778495fc6580eb20b3d

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8283B656\setup.exe

Filesize
939KB

MD5
43947976824aa63f057de1ac7a99c377

SHA1
5f6d978b9bd3ad7e435848090d7d53e27edcf66a

SHA256
c57ccd8514fe77530c62f67b5a069afb0a912a11892e890dccfdb5a64b1f9531

SHA512
2c812802b5c1150c406e8dae2857d13783f8aeaf2a29acdc65f8d86ba1f3e0f9164823a414a868b51a98f94f41f784659b39c0d9451deae756f93af144134ada

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC9ACB526\setup-stub.exe

Filesize
407KB

MD5
27eba7c268114cde294ba56de94c1814

SHA1
0a0bbce1beaadb36e92bbcd1ed7de601e79528c1

SHA256
958aaac6fec9912ff65b7fa3ee87df665ee38ded11c90222b82efe8569847c9e

SHA512
5879384d9d22771b96db3b37ff9fb625f5c09ef3aea75919889b4450cd1efaa73c61f017d4a32802acfe8c0c90a1ed585062eec1b1331ac0cef8c45e31fffb98

Download Submit
\Users\Admin\AppData\Local\Temp\RChXPAjxZMpJJyH.exe

Filesize
306KB

MD5
b1ec7bff4192f75a0a53608047a190e9

SHA1
7686a580333e8d60e1806418c8467e85beab4d2a

SHA256
134e9f12545c3300eedc7a5644c28f390e00918a15fbcf2143492810ab4a5474

SHA512
2af2d71ef3f292888adbe9836ae8bb3b1a8f99f4c95be0565515adf544c989e4ff722342721500b0aefc5f57178a1de9a916c4096c3f6722b42dcd0063cd6067

Download Submit
\Users\Admin\AppData\Local\Temp\nsi3B2D.tmp\CertCheck.dll

Filesize
4KB

MD5
837429ef2393bd6f8d7ae6ab43669108

SHA1
bc1a6e461de60db2f3036778c761103c02374082

SHA256
9e1831bf44b75980903eff8446960f21ab323b9f8249ddb49519718d873135d5

SHA512
c9b464377720799030e7303ea98acd38dc56ef0ae613ec540a5d9907d84bb7c455f6e02b38073901ee717bfdbf92137ab095aa9ce047971b6a2e6d3bc9d039d1

Download Submit
\Users\Admin\AppData\Local\Temp\nsi3B2D.tmp\InetBgDL.dll

Filesize
33KB

MD5
73a0bec837004bc5ae5cd0a5b0d3bcf8

SHA1
92cb463841b6adeecb8cc9cc8eb5f39a61dc7edd

SHA256
0dd38281a824298100b2bc89ee5b8a5c9cd9ec7a3b051dff42037a891fa7c534

SHA512
f7aa18261fb4ef99b66e9a16e2df6323d34444de84a5bdabd3890154b0207f8509f34f2fe115b00e2396d33df778be6456a7fd754cc00271f8189e5a4420b6d2

Download Submit
\Users\Admin\AppData\Local\Temp\nsi3B2D.tmp\System.dll

Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsi3B2D.tmp\UAC.dll

Filesize
18KB

MD5
113c5f02686d865bc9e8332350274fd1

SHA1
4fa4414666f8091e327adb4d81a98a0d6e2e254a

SHA256
0d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d

SHA512
e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284

Download Submit
\Users\Admin\AppData\Local\Temp\nsi3B2D.tmp\UserInfo.dll

Filesize
4KB

MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
\Users\Admin\AppData\Local\Temp\nsi3B2D.tmp\nsDialogs.dll

Filesize
9KB

MD5
42b064366f780c1f298fa3cb3aeae260

SHA1
5b0349db73c43f35227b252b9aa6555f5ede9015

SHA256
c13104552b8b553159f50f6e2ca45114493397a6fa4bf2cbb960c4a2bbd349ab

SHA512
50d8f4f7a3ff45d5854741e7c4153fa13ee1093bafbe9c2adc60712ed2fb505c9688dd420d75aaea1b696da46b6beccc232e41388bc2a16b1f9eea1832df1cd7

Download Submit
\Users\Admin\AppData\Local\Temp\nsi3B2D.tmp\nsJSON.dll

Filesize
18KB

MD5
e89c7cd9336d61bb500ac3e581601878

SHA1
45b2563daa00ba1b747615c23c38ef04b95c5674

SHA256
431fc2ed27d0b7a1ce80de07989595effcc3ffb1dea1af6c0e178b53f6bd2f1e

SHA512
09485a354ac4ace6084cb6fcbd92eee8488074763c8443638f78e655e45e8aa0fe40a45d4ce0dff116ed3a4bb7bc4d7d845a6ccf0e0bf35533ce81626a8db06f

Download Submit
\Users\Admin\AppData\Local\Temp\nstC39E.tmp\System.dll

Filesize
22KB

MD5
b361682fa5e6a1906e754cfa08aa8d90

SHA1
c6701aee0c866565de1b7c1f81fd88da56b395d3

SHA256
b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04

SHA512
2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

Download Submit
memory/2060-15-0x0000000000130000-0x0000000000147000-memory.dmp

Filesize
92KB

Download
memory/2060-16-0x0000000001200000-0x0000000001217000-memory.dmp

Filesize
92KB

Download
memory/2060-6-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2060-0-0x0000000001200000-0x0000000001217000-memory.dmp

Filesize
92KB

Download
memory/2088-290-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2152-20-0x00000000000E0000-0x00000000000F7000-memory.dmp

Filesize
92KB

Download
memory/2584-420-0x0000000004190000-0x00000000041D6000-memory.dmp

Filesize
280KB

Download
memory/2584-287-0x0000000004190000-0x00000000041D6000-memory.dmp

Filesize
280KB

Download
memory/2584-222-0x0000000002620000-0x000000000262B000-memory.dmp

Filesize
44KB

Download
memory/2716-236-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2716-17-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads