6e235177627a1a89c88eebc8fe565bec1d78a333ebd8ee78fac238d6d6c9cc4f

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_7a50c28b9af18691eab4c788b1905ccf_magniber_metamorfo.exe
Size

43.5MB
MD5

7a50c28b9af18691eab4c788b1905ccf
SHA1

f7044b4d4a048adea9fc50379e29a56ec846092b
SHA256

6e235177627a1a89c88eebc8fe565bec1d78a333ebd8ee78fac238d6d6c9cc4f
SHA512

885d411018babc29f06740b34fa7bb32192ed0dc50097dd1db6dfcb284b90bbbae39672090f3eebc15bbfaeb9fa2247392acb7469e2d14735b8b250574ff588f
SSDEEP

786432:usmrdD/kCPKFRP2smnN1b1r7BZJBIrhSVKvGULXYW/zNMz9YXkWWv3SpeGKC:jmriesmnNlZJdKeupqzyX9WfSpeG/

Score

8^/10

bootkit persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

KB931125.exeKB931125.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}\Locale = "*"	KB931125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}\ComponentID = "Windows Roots Update"	KB931125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}\Version = "28,0,2195,0"	KB931125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}\ = "RootsUpdate"	KB931125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}\IsInstalled = "1"	KB931125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}\Version = "28,0,2195,0"	KB931125.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}	KB931125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}\ = "RootsUpdate"	KB931125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}\IsInstalled = "1"	KB931125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}\Locale = "*"	KB931125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}\ComponentID = "Windows Roots Update"	KB931125.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF289A85-8E57-408d-BE47-73B55609861A}	KB931125.exe

Executes dropped EXE 10 IoCs

Processes:

KB931125.exeupdroots.exeupdroots.exeupdroots.exeupdroots.exeKB931125.exeupdroots.exeupdroots.exeupdroots.exeupdroots.exe

pid	process
2732	KB931125.exe
2824	updroots.exe
2524	updroots.exe
2588	updroots.exe
2760	updroots.exe
2832	KB931125.exe
1292	updroots.exe
308	updroots.exe
1452	updroots.exe
1088	updroots.exe

Loads dropped DLL 31 IoCs

Processes:

2024-05-24_7a50c28b9af18691eab4c788b1905ccf_magniber_metamorfo.exeKB931125.exeupdroots.exeupdroots.exeupdroots.exeupdroots.exeKB931125.exeupdroots.exeupdroots.exeupdroots.exeupdroots.exe

pid	process
3008	2024-05-24_7a50c28b9af18691eab4c788b1905ccf_magniber_metamorfo.exe
3008	2024-05-24_7a50c28b9af18691eab4c788b1905ccf_magniber_metamorfo.exe
2732	KB931125.exe
2732	KB931125.exe
2732	KB931125.exe
2732	KB931125.exe
2824	updroots.exe
2732	KB931125.exe
2732	KB931125.exe
2524	updroots.exe
2732	KB931125.exe
2732	KB931125.exe
2588	updroots.exe
2732	KB931125.exe
2732	KB931125.exe
2760	updroots.exe
3008	2024-05-24_7a50c28b9af18691eab4c788b1905ccf_magniber_metamorfo.exe
2832	KB931125.exe
2832	KB931125.exe
2832	KB931125.exe
2832	KB931125.exe
1292	updroots.exe
2832	KB931125.exe
2832	KB931125.exe
308	updroots.exe
2832	KB931125.exe
2832	KB931125.exe
1452	updroots.exe
2832	KB931125.exe
2832	KB931125.exe
1088	updroots.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

2024-05-24_7a50c28b9af18691eab4c788b1905ccf_magniber_metamorfo.exe

description ioc process

File opened for modification \??\PhysicalDrive0 2024-05-24_7a50c28b9af18691eab4c788b1905ccf_magniber_metamorfo.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	2024-05-24_7a50c28b9af18691eab4c788b1905ccf_magniber_metamorfo.exe

Drops file in Windows directory 2 IoCs

Processes:

KB931125.exeKB931125.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.app.log	KB931125.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	KB931125.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 64 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

updroots.exeupdroots.exeupdroots.exeupdroots.exeupdroots.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A073E5C5BD43610D864C21130A855857CC9CEA46	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\20CB594FB4EDD895763FD5254E959A6674C6EEB2\Blob = 03000000010000001400000020cb594fb4edd895763fd5254e959a6674c6eeb2090000000100000056000000305406082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070308060a2b0601040182370a0304060a2b0601040182370a030c06082b060105050703090b00000001000000340000004d004f004700410048004100200047006f007600740020006f00660020004b006f007200650061002000470050004b004900000020000000010000008e0300003082038a30820272a003020102021045f8e0e401c53e71e6bd716d979c4123300d06092a864886f70d0101050500304f310b3009060355040613024b52311c301a060355040a1313476f7665726e6d656e74206f66204b6f726561310d300b060355040b130447504b49311330110603550403130a47504b49526f6f744341301e170d3037303331353036303030345a170d3137303331353036303030345a304f310b3009060355040613024b52311c301a060355040a1313476f7665726e6d656e74206f66204b6f726561310d300b060355040b130447504b49311330110603550403130a47504b49526f6f74434130820121300d06092a864886f70d01010105000382010e0030820109028201005a2b41159bdb762601f054720b87131fa0d03f96aa0db33481de485a9ff3705ac2f13a9e04f04e947997e1f4b5144cd76fc48b18b7dc122b1d0a9bee200c5b8ffff9af829e9846d03d5d28f39716c15ce556bf44a400a17acb9b7a5bdcd4edfbf2a00267001e44e58a01dca5a34efed60c67ca49b9f0d0a0f94d1f03d386ef0d85754df3edfbcd6a660457f4579bac668a4fc2a84f718909dd4c00df96bbd5900ab4b66a6dc6bfd39929ff62f010da45ac09720b8210e815a88b5fe2a25a791ec267fde944570b03d0211551b000f38f6de223f04921d96dcf623decebfd2892013f7aa3727cebf3aee7f80aec6ead7a9b55c9304b9cb661466b581afe9f481d0203010001a3633061301f0603551d23041830168014166732f4685e683147dbedecce612e9a2446c47d301d0603551d0e04160414166732f4685e683147dbedecce612e9a2446c47d300e0603551d0f0101ff0404030201ae300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100356352c660181cb7c2c15a5802ec07d5a19093fc8047d05278ab85f876d3b8b01832a0b6906813663d6faf8edcf6a3c4ce395fafed0a66e07c11c80ccb9e1f38298a8bdec8632ec7b4d2ce369194e04f8492b6aa22a8fd31a73348c95bf613d81616eb1f3fa54e06933ad906653096fa8d06dba11af42bfa0f68f0c12b7c9d05d709423bd22f9190fc0e6b385bb275a9579c5764f59820a4ffd43004e4ce1f90c92fc1df5a56b8cbaaaab4bfebb8f7224a4dc135f465bd78bc6f781b563a81e80df5c2a51730d38d5777cba5c14cb130dd34b8ab920a2202368bf66cf761b908ee30ad1aa844f12e32ec83a248483a675fe96f1b1733082ac1c9c3679a0e8567	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CFF810FB2C4FFC0156BFE1E1FABCB418C68D31C5\Blob = 0b0000000100000050000000430065007200740069007300690067006e0020004100750074006f00720069006400610064006500200043006500720074006900660069006300610064006f0072006100200041004300330053000000090000000100000016000000301406082b0601050507030406082b06010505070301030000000100000014000000cff810fb2c4ffc0156bfe1e1fabcb418c68d31c52000000001000000b7020000308202b33082021c020100300d06092a864886f70d01010405003081a1310b3009060355040613024252311730150603550408130e52696f206465204a616e6569726f311730150603550407130e52696f206465204a616e6569726f312e302c060355040a132543657274697369676e20436572746966696361646f7261204469676974616c204c7464612e3130302e060355040b132743657274697369676e204175746f72696461646520436572746966696361646f72612041433353301e170d3939303730393230353633325a170d3138303730393230353633325a3081a1310b3009060355040613024252311730150603550408130e52696f206465204a616e6569726f311730150603550407130e52696f206465204a616e6569726f312e302c060355040a132543657274697369676e20436572746966696361646f7261204469676974616c204c7464612e3130302e060355040b132743657274697369676e204175746f72696461646520436572746966696361646f7261204143335330819f300d06092a864886f70d010101050003818d0030818902818100ce644ed6cfae7c982798ef28efba34c3351a9dd2661e71f1e4962d27173990458f2defe6d547a9e183817c3e2871fa80bb5df8436b1910c1986f159e2dae496444ec841a69591657b23d92d8664bbf99ad4318c738c98b8e2c042eb34b6b93f69d1f84b2cde600c2be36a5bc59b59f8b1920ffe5a828a455b68ab6b2c5d744e30203010001300d06092a864886f70d010104050003818100cb75d7e4c1fff2a0438c9d2ea4439fae9148b86ab7ffc8338c13c6d2e426707ab8adedac9bc5a52baa578b04d781cdaa0d396fe444a9906502f7fa78d6d45577c56b40247854cbc446b1e5d28640859008fcdb15abce2a3e68be175fc4b2d0bcb22dcd4cb70cc42df8d60b4183cae474690be155b1911cc94a3c3ef052141df4	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\039EEDB80BE7A03C6953893B20D2D9323A4C2AFD\Blob = 030000000100000014000000039eedb80be7a03c6953893b20d2d9323a4c2afd090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080b000000010000005c000000470065006f005400720075007300740020005000720069006d006100720079002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790020002d002000470033000000200000000100000002040000308203fe308202e6a003020102021015ac6e9419b2794b41f627a9c3180f1f300d06092a864886f70d01010b0500308198310b300906035504061302555331163014060355040a130d47656f547275737420496e632e31393037060355040b133028632920323030382047656f547275737420496e632e202d20466f7220617574686f72697a656420757365206f6e6c79313630340603550403132d47656f5472757374205072696d6172792043657274696669636174696f6e20417574686f72697479202d204733301e170d3038303430323030303030305a170d3337313230313233353935395a308198310b300906035504061302555331163014060355040a130d47656f547275737420496e632e31393037060355040b133028632920323030382047656f547275737420496e632e202d20466f7220617574686f72697a656420757365206f6e6c79313630340603550403132d47656f5472757374205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473330820122300d06092a864886f70d01010105000382010f003082010a0282010100dce25e62581d3357393233faebcb878ca7d44add0688ea648e3198a538901e98cf2e632bf046bc44b289a1c0280c497021959f64c0a6931202652686c6a589f0fad784a070af4f1a973f0644d5c9eb72107de43128fb1c61e628074473922269a703886c9d63c852da9827e7084c703eb4c912c1c567835d33f30311ec6ad053e2d1ba36609480bb61636c5b177edf40941eab0dc221287088ffd6266c6c6004254e557e7defbf9448deb71ddd708d055f88a59bf2c2eeead140416d62381d5606c50347512019fc7b100b0e62ae7655bf5f77be3e4901533d98250376245a1db4db89ea79e5b6b33b3fba4c28417f06ac6a8ec1d0f6051d7de64286e3a5d5470203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c479ca8ea14e031d1cdc6bdb315b943e3f307f2d300d06092a864886f70d01010b050003820101002dc513cf56807b7a78bd9fae2c99e7efdadf945e0969a7e76e688cbd72be47a90e9712b84af164d339df2534d4c1cd4e81f00f04c424b33496c6a6aa30df686173d7f98e8589ef0e5e95284a2a278f108e2e7c86c4029eda0c77650e440d92fdfdb31636fa110d1d8c0e07896a2956f772f4dd159c77356657ab1353d88ec140c5d713165a72c7b76901c47ab18301687d8d41a19418c1255cfcf0fe8302877c0d0dcf2e085c4a400d3eec8161e624dbcae00e2d07b23e56dc8df5418507489b0c0bcb493f7decb7fdcb8d67891aabedbb1ea3000808172a825c315d468a2d0f869b74d945fbd440b17aaa682d86b29922e1c12bc79cf8f35fa88212eb19112d	updroots.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E3D73606996CDFEF61FA04C335E98EA96104264A	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E0B4322EB2F6A568B654538448184A5036874384\Blob = 030000000100000014000000e0b4322eb2f6a568b654538448184a5036874384090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b060105050703070b000000010000000e00000045004400490043004f004d0000002000000001000000b9050000308205b53082039da0030201020208618dc7863b018205300d06092a864886f70d010105050030443116301406035504030c0d4143454449434f4d20526f6f74310c300a060355040b0c03504b49310f300d060355040a0c06454449434f4d310b3009060355040613024553301e170d3038303431383136323432325a170d3238303431333136323432325a30443116301406035504030c0d4143454449434f4d20526f6f74310c300a060355040b0c03504b49310f300d060355040a0c06454449434f4d310b300906035504061302455330820222300d06092a864886f70d01010105000382020f003082020a0282020100ff9295e1680676b42cc85848cafd805429556324ff90659b10757bc36adb620201f21886b57c5a38b1e458b9fbd3d82d9fbd3237bf2c156dbeb5f421d21391d907ad0105d6f3bd77ce5f42810af96ae38300a82b2e55136381ca471c7b5c16577a1b8360043a3e65c3cd01dedea4d60cba8eded904ee1756229b8f63fd4d160bb77b778cf925b5d16d99122e4f1ab8e6ea0492ae3d11b951423d87b03185af795a9cfee74e5e924f43fcab3aada5122666b9e20cd798ced458a595400ab7449d13742bc2a5eb22159810d88bc5049f1d8f60e5061b9bcfb979a03da2233f423f6bfa1c037b308dce6cc0bfe61b5fbf67b88419d515ef7bcb90363162c9bc02ab465f9bfe1a6894343d908eadf6e41d097f4a88383fbe67fd3496f51dbc3074cb38eed56cabd4fcf400b7005b8532167633e9d8a3999d0500aa16e6f3817d6f7daa866dad1574d3c4a271aaf4147de732b81fbcd5f14ebd6f170239d70e95423ac7003ee9266311ea0bd14aff189db2d77b2f3ad996fbe81e92ae1355c8d927f6dc481bb024c185e3779d9aa4f30c111d0dc8b414eeb5825709bf20587f2f2223d870cb796cc94bf2a92ac8fc872bd71a50f827e82f43e33abdd85771fdcea6525bf9dd4dede5f66f89edbb939c762175f0924c29f72f9c012efe50469e640c14b3075bc5c2736cf1075c45241435ae83f16a4d897afab3d82d66f03687f52b530203010001a381aa3081a7300f0603551d130101ff040530030101ff301f0603551d23041830168014a6b3e12b2b49b6d773a1aa94f501e773654cac50300e0603551d0f0101ff040403020186301d0603551d0e04160414a6b3e12b2b49b6d773a1aa94f501e773654cac5030440603551d20043d303b30390604551d20003031302f06082b060105050702011623687474703a2f2f6163656469636f6d2e656469636f6d67726f75702e636f6d2f646f63300d06092a864886f70d01010505000382020100ce2c0b525162267d0c27838fc5f6daa0687b4f925eeaa47332115344b244cb9dec0f7942b310a6c70d9dcbb6fa3f3a7ceabf88531b3cf782fa053533e135a857c0e7fd8d4f3f93324f786603770758e995c87e3ed079008cf21b51339bbc94e93a7b6e522d329e23a445fbb62e13b08b18b1ddced51da7427f55befb5bbb47d4fc24cd04ae960515d6acce30f3ca0bc5bae222e0a6ad22e402ee74117f4cff781d35dae60234eb1812617706091663ea18ada2871ff2c7800909754e10a88f3d86b87511c024628a967b4a45e9ec59c5be6b83e6e1e8acb5301efe050780f9e1230d508f0598ff2c5fe83bb6adcf81b52187ca082a232730202bcfed945bacb27ad2c728a18a0b9b4d4a2c6d853f09723c67e2d9dc07baeb657b5a0163d6905b4f17663d7f0b19a3936310522a9f141658e2dca5f4a1168b0e918b81ca9b59fad86b910765555f521faf3afb90dd69a55b9c6d0e2cb6faceaca57c324a6740dc303423ddd7042366f0fc5580a7fb66198235676270395e6fc7ea904044081eb8b2d6dbee59a70d187934bc54185e53ca3451ed450ae68ec782363ea73863a9302c171060929f5587125910c20f676911cc4e1e7e4a9aadaf40a875ac569074b8a09ca5796fdce91ac86905e9bafa03b37ce4e04ec2ce9de8b6460d6e7e573a6794c2cb1f9c774a674e6986439338fbb6db4f8391d4607e4b3e2b380755985ea4	updroots.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DA40188B9189A3EDEEAEDA97FE2F9DF5B7D18A41\Blob = 030000000100000014000000da40188b9189a3edeeaeda97fe2f9df5b7d18a41090000000100000020000000301e06082b0601050507030406082b0601050507030106082b060105050703030b000000010000003c000000450071007500690066006100780020005300650063007500720065002000650042007500730069006e006500730073002000430041002d003100000020000000010000008602000030820282308201eba003020102020104300d06092a864886f70d01010405003053310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312630240603550403131d45717569666178205365637572652065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a3053310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312630240603550403131d45717569666178205365637572652065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100ce2f19bc17b777de93a95f5a0d174f341a0c98f422d959d4c46846f0b435c5850320c6af45a521514541eb165836326fe2506264f9fd519caa24d9f49d832a870a21d31238346c8d006e5aa0d942ee1a2195f9524c555ac50f384f46fa6df82e35d61d7cebe2f0b07580c8a913acbe88ef3a6eab5f2a386202b0127bfe8fa6030203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d230418301680144a78325211db5916365edfc11436406a477c4ca1301d0603551d0e041604144a78325211db5916365edfc11436406a477c4ca1300d06092a864886f70d010104050003818100755ba89b0311e6e9564ccdf9a94cc00d9af3cc6569e62576cc59b7d654c31dcd99ac19ddb485d5e03dfc6220a7844b5865f1e2f995213ff5d47e581e4787543e58a1b5b5f82aef71e7bcc3f6b14946e2d7a06be5567a9a27987c466214e7c9fc6e03127980381d48828dfc17fe2a962bb562a6a63dbd7f9259cd5a2a82b23779	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7FBB6ACD7E0AB438DAAF6FD50210D007C6C0829C	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212\Blob = 0b0000000100000026000000470065006f0054007200750073007400200047006c006f00620061006c002000430041000000090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308030000000100000014000000de28f4a4ffe5b92fa3c503d1a349a7f9962a8212200000000100000058030000308203543082023ca0030201020203023456300d06092a864886f70d01010505003042310b300906035504061302555331163014060355040a130d47656f547275737420496e632e311b30190603550403131247656f547275737420476c6f62616c204341301e170d3032303532313034303030305a170d3232303532313034303030305a3042310b300906035504061302555331163014060355040a130d47656f547275737420496e632e311b30190603550403131247656f547275737420476c6f62616c20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100dacc186330fdf417231a567e5bdf3c6c38e471b77891d4bca1d84cf8a843b603e94d21070888da582f663929bd05788b9d38e805b76a7e71a4e6c460a6b0ef80e489280f9e25d6ed83f3ada691c798c9421835149dad9846922e4fcaf18743c11695572d50ef892d807a57adf2ee5f6bd2008db914f8141535d9c046a37b72c891bfc9552bcdd0973e9c2664ccdfce831971ca4ee6d4d57ba919cd55dec8ecd25e3853e55c4f8c2dfe502336fc66e6cb8ea4391900b7950239910b0efe382ed11d059af64d3e6f0f071daf2c1e8f6039e2fa36531339d45e262bdb3da814bd32eb180328520471e5ab333de138bb073684629c79ea1630f45fc02be8716be4f90203010001a3533051300f0603551d130101ff040530030101ff301d0603551d0e04160414c07a98688d89fbab05640c117daa7d65b8cacc4e301f0603551d23041830168014c07a98688d89fbab05640c117daa7d65b8cacc4e300d06092a864886f70d0101050500038201010035e3296ae52f5d548e2950949f991a14e48f782a6294a227679ed0cf1a5e47e9c1b2a4cfdd411a054e9b4bee4a6f5552b324a1370aeb64762a2e2cf3fd3b7590bffa71d8c73d37d2b5059562b9a6de893d367b38774897aca6208f2ea6c90cc2b2994500c7ce11512222e0a5eab615480964ea5e4f74f7053ec78a520cdb15b4bd6d9be5c6b15468a9e36990b69aa50fb8b93f207dae4ab5b89ce41db6abe694a5c1c783addbf527870e046cd5ffdda05ded8752b72b1502ae39a66a74e9dac4e7bc4d341ea95c4d335f92092f88665d7797c71d7613a9d5e5f116091135d5acdb2471702c98560bd917b4d1e3512b5e75e8d5d0dc4f34edc2056680a1cbe633	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\253F775B0E7797AB645F15915597C39E263631D1	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 03000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c02000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B3EAC44776C9C81CEAF29D95B6CCA0081B67EC9D\Blob = 0b000000010000001200000056006500720069005300690067006e000000090000000100000020000000301e06082b0601050507030406082b0601050507030206082b06010505070303030000000100000014000000b3eac44776c9c81ceaf29d95b6cca0081b67ec9d200000000100000007030000308203033082026c021100b92f60cc889fa17a4609b85b706c8aaf300d06092a864886f70d01010505003081c1310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e313c303a060355040b1333436c6173732032205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204732313a3038060355040b1331286329203139393820566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d060355040b1316566572695369676e205472757374204e6574776f726b301e170d3938303531383030303030305a170d3238303830313233353935395a3081c1310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e313c303a060355040b1333436c6173732032205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204732313a3038060355040b1331286329203139393820566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d060355040b1316566572695369676e205472757374204e6574776f726b30819f300d06092a864886f70d010101050003818d0030818902818100a7880121742ce71a03f098e1973c0f2108f19cdb97e99afcc2040613be5f52c8cc1e2c12562cb801692ccc991fadb096ae7904f21339c17b98ba082ce8c284132caa69e909f4c7a902a442c2234f4ad8f00ea2fb316cc9e66f992707f5e6f44c789e6deb4686fab986c954f2b2c4afd4461c5ac91530ff0d6cf52d0e6dce7f770203010001300d06092a864886f70d010105050003818100722ef97fd1f171fbc49ef6c55e518a4098b868f89b1c83d8e29dbdffeda1e666ea2f09f4cad7eaa52b95f62460864d442e83a5c42da0d3ae78696f72da6cae08f0639237e6bbc43017ad77cc4935aacfd88fd1beb7189647736a542234642db6169b595bb451593ab30b14f412df67a0f4ad32645eb14672278c127bc544b4ae	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CA3AFBCF1240364B44B216208880483919937CF7	updroots.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\99A69BE61AFE886B4D2B82007CB854FC317E1539	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4463C531D7CCC1006794612BB656D3BF8257846F	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8025EFF46E70C8D472246584FE403B8A8D6ADBF5\Blob = 0b000000010000003a00000054004300200054007200750073007400430065006e00740065007200200043006c00610073007300200033002000430041002000490049000000090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080300000001000000140000008025eff46e70c8d472246584fe403b8a8d6adbf52000000001000000ae040000308204aa30820392a003020102020e4a4700010002e5a05dd63f0051bf300d06092a864886f70d01010505003076310b3009060355040613024445311c301a060355040a1313544320547275737443656e74657220476d624831223020060355040b1319544320547275737443656e74657220436c6173732033204341312530230603550403131c544320547275737443656e74657220436c6173732033204341204949301e170d3036303131323134343135375a170d3235313233313232353935395a3076310b3009060355040613024445311c301a060355040a1313544320547275737443656e74657220476d624831223020060355040b1319544320547275737443656e74657220436c6173732033204341312530230603550403131c544320547275737443656e74657220436c617373203320434120494930820122300d06092a864886f70d01010105000382010f003082010a0282010100b4e0bb51bb395c8b04c54c791c23863110634355273fc645c7a43dec090d1a1e20c2561ede1b370730222f6ff106f1abadd6c8ab61a32f43c4b0b22dfcc396697b7e8ae4ccc03912904260c9cc3568eeda5f90565fcd1c4d5b5849eb0e014f64fa2c3c8958d82f2ee2b068e9223b7589d6441a65f21b97261d286dace8bd591d2b24f6d68403668824007860f1f8abfe02b26bfb22fb35e616d1adf62e12e4fa356ae519b95ddb3b1e1afbd3ff151408d8096aba459d1479607daf408a0773b39396d374348d3a3729de5cecf5ee2e31c220dcbef14f7f2352d95be264d99caa0708b545bdd1d031c1ab549fa9d2c3626003f1bb394a924a3d0ab99dc5a0fe370203010001a382013430820130300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414d4a2fc9fb3c3d803d3575c07a4d024a7c0f200d43081ed0603551d1f0481e53081e23081dfa081dca081d98635687474703a2f2f7777772e747275737463656e7465722e64652f63726c2f76322f74635f636c6173735f335f63615f49492e63726c86819f6c6461703a2f2f7777772e747275737463656e7465722e64652f434e3d5443253230547275737443656e746572253230436c61737325323033253230434125323049492c4f3d5443253230547275737443656e746572253230476d62482c4f553d726f6f7463657274732c44433d747275737463656e7465722c44433d64653f63657274696669636174655265766f636174696f6e4c6973743f626173653f300d06092a864886f70d010105050003820101003660e470f7062043d9231a42f2f8a3b2b94d8ab4f3c29a55317cc43b679ab4df4d0e8a934a178b1b8dca89e1cf3a1eac1df19c32b48e5976a241852537a013d0f57c4ed5ea96e26e72c1bb2afe6c6ef8919846fcc91b575beac81a3b3fb051983c07da2c5901da8b44e8e174fda768dd54ba8346ecc846b5f8af97c03b091c8fce72963d335670bc96cbd8d57d209a839f1adc39f1c572a31103fd3b425229dbe801f79b5e8cd68d864e19fabc1cbec521a5879e782e36db0971a37234f86ce30609f25e56a5d3dd98fad4e606f4f0b620634bea29bdaa82661efb81aaa737ad1318e692c381c133bb881ea1e7e2b4bd316c0e513d6ffb965680e23617d1dce4	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E0925E18C7765E22DABD9427529DA6AF4E066428\Blob = 030000000100000014000000e0925e18c7765e22dabd9427529da6af4e066428090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030806082b060105050703090b000000010000002c00000048006f006e0067006b006f006e006700200050006f0073007400200052006f006f007400200043004100000020000000010000002f0300003082032b30820213a003020102020101300d06092a864886f70d01010505003045310b300906035504061302484b31163014060355040a130d486f6e676b6f6e6720506f7374311e301c06035504031315486f6e676b6f6e6720506f737420526f6f74204341301e170d3030303131363037343230305a170d3130303131363233353930305a3045310b300906035504061302484b31163014060355040a130d486f6e676b6f6e6720506f7374311e301c06035504031315486f6e676b6f6e6720506f737420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100a5a291be3ce5363c4aef348f88fdba6d71a66272edc206bc7625bb8a5f15252738dde99191018a6f8ed55ba6bf3e23b363c354e1f1c30c964cfb7a0e271ef0231080d22868bd06958b7de929f9d427f6f2775f22ab25a8459797455661589c8724329d381d3dedb81c74053565a0a5910faf683d7a0f5c21fbe72c1bfe56865271736481d4e08480d09556bd49d03d24335d8e7a823854b66af4ba74692ebbd141701174e6376863af4ceadca220cdf68f4ce6d080082450991874e5ced607d07816065f3ddc85cb743f787f19c80d8e4854696a0580a96cb241feb404068bbab5a27e29a6aaaf41e91c4911b70d4808727f4b8398f3131a794bd14e14ce12330203010001a326302430120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d010105050003820101009505191630569cb9984b40348d115b4f24f12c68c2b5acb5e0b484a04c6dec8a7661c1f3d574f1619f7cbe20922752fa3124b8d19ee0f36d50baade22daf28756be12aeff821cd3bcbc8321ed3ba59cf38e8f29078dd9e0844955f864f6a9bdca28be59ca6568b8665351c6c0cca1ea49e4e5c1293d278c8d869ea698626d4a4d38fad574a58f4ecc67f6cbbb4f2c792f2ce3cf442c32167866da54da03fc2f718ab57d6e8c792fa86a736050e1972bf06f0aca4444cac3ee8ef7d0b48c5c11b33e9c901d0cceffe61ed8ce8329accf5c9d9c93d78a600051d29eb26018e4bfe39acc592ffbe709a57c2f2cf21b8662edee0d4febbdbb44789927f18bc2c86b5	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4	updroots.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\394FF6850B06BE52E51856CC10E180E882B385CC	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3913853E45C439A2DA718CDFB6F3E033E04FEE71\Blob = 0b000000010000001a000000450043005200610069007a00450073007400610064006f000000090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b060105050703070300000001000000140000003913853e45c439a2da718cdfb6f3e033e04fee712000000001000000720500003082056e30820356a003020102020f42ea5b0a5111267cd82774b7df7f71300d06092a864886f70d01010505003033310b3009060355040613025054310d300b060355040a0c04534345453115301306035504030c0c45435261697a45737461646f301e170d3036303632333133343132375a170d3330303632333133343132375a3033310b3009060355040613025054310d300b060355040a0c04534345453115301306035504030c0c45435261697a45737461646f30820222300d06092a864886f70d01010105000382020f003082020a0282020100dbefa2436ec8a9fd6ed7dfaca29284a1c859a00c9a53feefaecc190d728aa4c23323efe70672ea6d4b3a41520fc9480e2de7ba64eea23a4c635c66298bdfa988c5bde8f1f78e4bfc013c4412392a70a2c0dbc5a2df5fc74bc6a8dc3d617c4a58c1443293de7099a12326563fa3e1ea5f3046d878f530a3960989b03df1869305b6126a188df0a5643b2b87645e3d178e0b6ee698cc973838208c705a692bbd658dcd37595c6cd1727459064ec8b701d777bff04886a8b31a5d41d4371711105f4a6e8d75c503407d21ae00f0dbfc9f6c3a66a4dff7cadf80665ad9d87f14a22619f4ae0b21e0ca3e05dd16d87e59daa1b069c39d3413fa65493987ee762f8dbd3c2719034ead0e0b2b2cc62e7113352957e970dc1b51eacd97f1958db286fa26062f801a95f1983beef6e586a5ce1b01e5f4e933ca0f55445f688a2cc75b6628dd964b839d5e1d7e18d5feb260fb9a5168c3968c1f684b50520b36e63127e4d7290c1bda1b2fe10453b8d47949b03b815e08882277e229c0ae72aaabb47252bd6cbbf5ba78d99cb8206f308d4a9d32f9f401e66279984240057a6f1c2a3fb5fbdfcd18408ee510c4395b56f13c5705abd2394d3ff88b23c76bb940b1e2feffb31c0a691f9b8c0fb41fe00ade48fd8d5f8f99f5017605365d8edc338e516e11e241fdccb78d2a5f3e92e5f2b1e0a423e2a2b7c68d189b294ad1467ff4642018dd0203010001a37f307d300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414717f35def577716d1d129ce190a4baf0a9838f80303b0603551d200434303230300604551d20003028302606082b06010505070201161a687474703a2f2f7777772e656365652e676f762e70742f647063300d06092a864886f70d010105050003820201008cad9c72a5b56776673887e93a8cfe9d5935be90f10300a058d898d1bffcfcf350dcb465d5dabaf08c2e7c0de609915f4da3f65d789c585d6a7094a3afdb2f00c903406bdf510316198c2bbc9936f6c0ad9218138ca7ed1dd2df039005ecb093989bf74d5a13f8e79bf73676de7c26f811384f494eb3731f5f275be19e321ef6c0981bd9202c5c968d86c90b45d792ad8abdea57a2a356b6203cecb2c7397eb080febd512b2ab4c37269c3f9472e6eff9c87eddc75cb1088e0b4ce2e0e531d0be86e1e424cd0be397875c914de279173aaec6a80f0f01796624fbe04cbe2a7e55d0f9345cb59482613deddb1f50ada16b1a81d8f7e581bb7d509de886bce843ea8be5262cad2a1a1c7cb3c16e07656303fe60f6b0677fe649d5a6a737ceede21e99a499737b6847fa2913e45fbd75a06c58735dcba484c8601084736b6385095119973d137490afa424f2f1054d34190fac8dcbb11dc0dcc7d7c9bdc0e9171864db8f2159a2b381711a1f29ea86c9ce3ceaee2e64b8bf28a063b07770211ee83ea9d6686caf062a9d55783a415f14514fe1a757fa50fdc527459750af8fb5541a95c8d3144ddcd944e33d11b41aadbd7a13cf0c5486d454135b57983e6f94df15638d7bf4022fb2080e31cc2594607630261003b9b50bb43c3b0e90a9ab876f447615564704f37d99c11a313b2e1dd4042bb98d7a0068be668574b0e38687fba	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\16D86635AF1341CD34799445EB603E273702965D\Blob = 03000000010000001400000016d86635af1341cd34799445eb603e273702965d090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b060105050703070b00000001000000120000005300490054004800530020004300410000002000000001000000650300003082036130820249a00302010202101bd40ed434d1da15a6003015024da46c300d06092a864886f70d01010505003036310b30090603550406130253453111300f060355040a0c08436172656c696e6b3114301206035504030c0b5349544853204341207633301e170d3035313132383130323735305a170d3135313132383036303233385a3036310b30090603550406130253453111300f060355040a0c08436172656c696e6b3114301206035504030c0b534954485320434120763330820122300d06092a864886f70d01010105000382010f003082010a0282010100c5d95bd1d42b7f4067eea15b5dd1da6ab91931f2f026490165fc4154f19691ec2aee0444241e409ce717503fea1c7ceeb83739fcc7d3af9b6e5ddf3ebe05fceacad9f94556e1959cb1d05a8ffec82aa6d76a6ce06d5dec5c76fee199479aa97ba7eae66f5402274d514e283dac063a8182a61cbd4ba4ed5212dc8a2aeb27f4c1224a10845a75b580225665ebcc80f2a5e164be7cde0fbd27074c295baab1efb47bff8734e8a39342cb3d60bb77d3c22f5e14f8736fa47fa09c01d5d5a9bb0c578fccc03b91789e923979324c447fc70b7ddefacc7edaccde0dd466b662a633bf6cf9d5dd47527094cb65e045b70dd7af9548d741a33b20500d3c145593ccea0d0203010001a36b306930120603551d130101ff040830060101ff020100301106096086480186f842010104040302020430140603551d20040d300b300906072a85704a010103300b0603551d0f040403020106301d0603551d0e041604147c2e39233244e80f4e66f20d28fe40bec2b6e2a0300d06092a864886f70d0101050500038201010008535a88290df554d8abb183b927695aaa5f2b5849d4b9df6febc706ebfd879abfca12df7a9e0122256352856fa72f0e9774608ce0488073dd428d21ed0f727f74066e50563b2d87ec81588b36c7ca00fba404b62f38588e77f106c42d2c272d18820b8a5f229414156338c6a5b1bae0acbe3e263f91bb1c83fc0ecac937be37d7f07bf38cd8bc900bf400bf54bc6a4a58e7ca5b0c19534207955735b84f96539aa898dd4e7d55b49ce3bac036b9b7dc0298f8f6e530be2c77b2f3c9e202a3e6f7447cd66a7fd078be3973f80bc21f52000e4d7bc60aee62cb09d50f0a30878293bcca11a41f09fafa3750ec3be23c24a08028ccfba6ddef379aa931dddfea51	updroots.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\56E0FAC03B8F18235518E5D311CAE8C24331AB66	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\85B5FF679B0C79961FC86E4422004613DB179284	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\750251B2C632536F9D917279543C137CD721C6E0	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118	updroots.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\58119F0E128287EA50FDD987456F4F78DCFAD6D4	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CFF810FB2C4FFC0156BFE1E1FABCB418C68D31C5	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F5C27CF5FFF3029ACF1A1A4BEC7EE1964C77D784\Blob = 030000000100000014000000f5c27cf5fff3029acf1a1a4bec7ee1964c77d78409000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703090b0000000100000014000000430065007200740052005300410030003100000020000000010000004e0400003082044a30820332a003020102020103300d06092a864886f70d01010505003041310b3009060355040613024b52310d300b060355040a13044b495341310f300d060355040b1306524f4f5443413112301006035504031309436572745253413031301e170d3030303330323135303030305a170d3130303330333134353935395a3041310b3009060355040613024b52310d300b060355040a13044b495341310f300d060355040b1306524f4f544341311230100603550403130943657274525341303130820122300d06092a864886f70d01010105000382010f003082010a0282010100cecfede1e8561dc94b32609b2ab7978761063468cb17aec078c5c6115b4b7c97abb96c4e2f00f6532ce9e19c5a906a3d7a3838355aad1c0a5985bbf563670913e9264fd83c5def5342de4562e43ecd72a4fab3c0e01f8e94e2652d55c115922c6ff343d43505053437a02cb4735bf12726949af5ba12ccfa7835a2ad54d5668f11eaa6194dd71335547b9197034763b0a90f68bed2f49eea8db57b44b5b92d38c900e3e5bfc675890399ff8c4b080fc20531a44d1711cec3750f6bb05fd0ac86ad7de9a088b9c612d6c03a2cd26f6c271daaff459bc603100269f906ef9f22a0383882c82411aca19e8f4dbe785fdfba3f83037d51a3f8c75da891681f1e72dd0203010001a382014b30820147301d0603551d0e04160414ff8a46723358e8488822aa1768da1648098b3591301f0603551d23041830168014ff8a46723358e8488822aa1768da1648098b3591300e0603551d0f0101ff04040302010630150603551d20040e300c300a06082a831a8c9a44020130300603551d1104293027a42530233121301f06035504030c18ed959ceab5adeca095ebb3b4ebb3b4ed98b8ec84bced84b030300603551d1204293027a42530233121301f06035504030c18ed959ceab5adeca095ebb3b4ebb3b4ed98b8ec84bced84b030120603551d130101ff040830060101ff020101300c0603551d240405300380010030580603551d1f0451304f304da04ba04986476c6461703a2f2f6469727379732e726f6f7463612e6f722e6b723a3338392f434e3d524f4f542d5253412d43524c2c204f553d524f4f5443412c204f3d4b4953412c20433d4b52300d06092a864886f70d010105050003820101002c3ca4236c42f8892847507ce3e6e7232d3636c6882a9198fb1e7c0fab9d11ad75ace45c6b31117433626fd4069111c67274982fb062fb3429af14f2c664e0bfabcb57b9619cf3624d3379d7662a51ccdc00540501567e8cb68e13f42d9951e19a78bc55514a49da5b0b82fb433ddacd9309cbb5a309c3b07d5948a29bd8fb37c36f0e37ea0597bfd26ea1c8e8c3fbf3ad32c855923442e0d412e5d4ed218ae79892ff5cd7a566aabff13a7c2dc2e0553505da916a0753d185b194c7260d1b682908c121930f6ba260b853af44d9645dd36e9b8412783118da73bfac24f8ab2dbf0e7eba7b09ca5a89a82c52cc4c74add95fb3b7d605f7415f71e56619062579	updroots.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\ED8DC8386C4886AEEE079158AAC3BFE658E394B4\Blob = 030000000100000014000000ed8dc8386c4886aeee079158aac3bfe658e394b4090000000100000016000000301406082b0601050507030106082b060105050703020b000000010000002800000054007200750073007400690073002000450056005300200052006f006f007400200043004100000053000000010000002400000030223020060a2b06010401a87501010630123010060a2b0601040182373c0101030200c020000000010000007b030000308203773082025fa00302010202102406625f11b64cccda9e9c6cea040268300d06092a864886f70d01010505003045310b300906035504061302474231183016060355040a130f54727573746973204c696d69746564311c301a060355040b1313547275737469732045565320526f6f74204341301e170d3037303130393132303030315a170d3237303130393131353630305a3045310b300906035504061302474231183016060355040a130f54727573746973204c696d69746564311c301a060355040b1313547275737469732045565320526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100d25c94c3cfdc490b7cdf045c0bea79bbe0d0375b8c0ed7cd3918de8c97b8b434106d67adc4b30eed37d4a5bffa43e5da702786479fe2e9b281b9be2d5bb9b128803041dfb894a920a67eaaacca704ca3120ccf606281527a49830bc8222073a09d353c966fedce3d26c24f48caa282a79506a9f62632fef2c1fd23585f713bf8c7d7dd4c331fa0d6c1cf7337ab95fe9d9decec85c3e209bb8957f994562a546289cc04686e648a4fb1857b6cd4a4bd260af527fc133e5d6a330a6739628cfe14fdaa24da4fdeb2b5f27790a191ef29771d719559b6c0e381b8f4ff89ee7aa7fb59fec9d48d6edfd6a99ffc0b35b5dc6ea49979f388306bfa4aa96b38c8614b430203010001a3633061300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414792d7396ceb27d5a730e87562931c528f2eda55f301f0603551d23041830168014792d7396ceb27d5a730e87562931c528f2eda55f300d06092a864886f70d0101050500038201010043c86fdf9bcc09afdc38261d48fbd69673a066df1ae2c0e69dd22f891ce834f2223491f4159f2ebdb472aad7ed3c9fad519f7f1e8566256a42698060375646ba3c56ab6a808098b5ca7a58db0508c7f60781bfa03535c93792bf11f217414f3f41ed13d3af193d718a7eb064c83be7fa931364fe56c3de2bd9eb57cd82d08c9d5252bc6113353f6f9f68f669f76e1acf0b384a43b5400533d2a62b1a360fd38fb1f77b3e1dd2a06dd843aa2b3f690b007e1ae44e6fca6d3191ff7481fcfbe24893765c8b8cc3dca108200b5b6536fc76fb233fd1da97c1d35a90a3bf459bd75b8108a452fc787e182e2d71fddaef0d814689f052f20c5069f7ced5017cb27f28	updroots.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CFDEFE102FDA05BBE4C78D2E4423589005B2571D	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8BAF4C9B1DF02A92F7DA128EB91BACF498604B6F\Blob = 0b000000010000001600000043004e004e0049004300200052006f006f0074000000090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b060105050703070300000001000000140000008baf4c9b1df02a92f7da128eb91bacf498604b6f200000000100000059030000308203553082023da003020102020449330001300d06092a864886f70d01010505003032310b300906035504061302434e310e300c060355040a1305434e4e4943311330110603550403130a434e4e494320524f4f54301e170d3037303431363037303931345a170d3237303431363037303931345a3032310b300906035504061302434e310e300c060355040a1305434e4e4943311330110603550403130a434e4e494320524f4f5430820122300d06092a864886f70d01010105000382010f003082010a0282010100d335f73f7377ade85b7317c2d16fed55bc6eeae8a479b26cc3a3efe19fb13b4885f59a5c2122102cc582cedae39a6e37e1872cdcb90c5aba8855dffdaadb1f31ea01f1df3901c113fd485221c455dfdad8b35476ba74b1b77dd7c0e8f659c54dc8bdad1f14dadf58442532192ac77e7e8eae38b0307b47720931f030dbc31b7629bb69764e57f91b64a29356b76f996edb0a049c11e3801fcb6394100aa9e1648231f98c27eda69900f6709318f8a13486a3dd7ac21879f67a6535cf90ebbd33939f53ab733be69b34202f1defa91d631aa080db032ff9261a86d28dbba9be523a8767480dbfb4a0d826be235f73377f26e69204a37fcf20a7b7f33acacb99cb0203010001a3733071301106096086480186f8420101040403020007301f0603551d2304183016801465f231ad2af7f7dd52960ac702c10eefa6d53b11300f0603551d130101ff040530030101ff300b0603551d0f0404030201fe301d0603551d0e0416041465f231ad2af7f7dd52960ac702c10eefa6d53b11300d06092a864886f70d010105050003820101004b35eecce4aebfc36ead9f953b4b3f5b1edf5729a259ca38e2b91aff9ee66e32dd1eaeea35b7f593914eda42e1c3176050f2d15c26b982b7ea6de49c84e7037917af983d94dbc7ba00e7b8bf0157c17745320c3bf1b41c08b0fd51a0a1dd9a1d13369a6db7c73cb9e1c5d917fa83d53d15a03cbb1e0be2c8903fa8860cfcf98b5e85cb4f5b4b621147c5457c052f41b19e10691b9996e05579fb4e8699b894da86386a93a3e7cb6ee5dfea2155899c7d7d7f98f50089eee384c05c96b5c546ea46e08555b61bc912d6c1cdcd80f302013cc869cb454863d894d0ec850e3b4e1165f4828ca63dae2e229409c85cea3c815d162a0397165509db8a41829e669b11	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\89DF74FE5CF40F4A80F9E3377D54DA91E101318E	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B435D4E1119D1C6690A749EBB394BD637BA782B7\Blob = 030000000100000014000000b435d4e1119d1c6690a749ebb394bd637ba782b709000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030906082b0601050507030306082b060105050703080b00000001000000640000005400550052004b0054005200550053005400200045006c0065006b00740072006f006e0069006b00200053006500720074006900660069006b0061002000480069007a006d006500740020005300610067006c00610079006900630069007300690000002000000001000000400400003082043c30820324a003020102020101300d06092a864886f70d01010505003081be313f303d06035504030c3654c39c524b545255535420456c656b74726f6e696b20536572746966696b612048697a6d6574205361c49f6c6179c4b163c4b173c4b1310b3009060355040613025452310f300d06035504070c06416e6b617261315d305b060355040a0c5454c39c524b54525553542042696c676920c4b06c657469c59f696d2076652042696c69c59f696d2047c3bc76656e6c69c49f692048697a6d65746c65726920412ec59e2e20286329204b6173c4b16d2032303035301e170d3035313130373130303735375a170d3135303931363130303735375a3081be313f303d06035504030c3654c39c524b545255535420456c656b74726f6e696b20536572746966696b612048697a6d6574205361c49f6c6179c4b163c4b173c4b1310b3009060355040613025452310f300d06035504070c06416e6b617261315d305b060355040a0c5454c39c524b54525553542042696c676920c4b06c657469c59f696d2076652042696c69c59f696d2047c3bc76656e6c69c49f692048697a6d65746c65726920412ec59e2e20286329204b6173c4b16d203230303530820122300d06092a864886f70d01010105000382010f003082010a0282010100a9367ec391434cc3199808c8c7587b4f168ca5ce49011f730eac7513a6fa9e2c20ded8900e0ad169d227fbaa779f275225e2cb5dd8d88350177d8ab5823f048eb4d5f049a764b71e2e5f209c50754fafe1b54114f4989288c7e5e56447614779fdc051f1c199e7dcce6afbafb50130dc461cef8aec95efdcffaf101ceb9dd8b0aa6a85180d17c93ebff19bd0098942fda042b49d89515529cf1b70bc8454adc1131f98f42e76608b5d3f9aadca0cbfa7565b8f77b8d59e7949923fe0f197247a6c9b170f6def5398912be40fbe59790778bb9795f49f69d458870aa9e3ccb658199f2621b1c4598db24175c0ad69ce9c0008f236ff3ef0a10f1aac14fda6600f0203010001a3433041301d0603551d0e04160414d937b34e05fdd9cf9f1216aeb6892feb253a881c300f0603551d0f0101ff04050303070600300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100726096b7c9dcd8295e23855fb2b32d76fb88d717fe7b6d45b8f6856c9f22fc2a1022ecaab930f6ab58d6391031992900bd896641fb74de91c1180b9fb561cb9d3abef5a894a322556e1749ffd229f138265defa5aa3af9717be6da581dd374c201fa3e69585fadcb68be142e9b6cc0b6dca026fa771ae224da1a37e067add173830da51a1d6e12927e84620017bdbc251857f2d7a96f5988bc34b72e85789d96dc14c32c8a529b968c52663d86168b47b851098cea7dcd8872b36033b1f00a44ef0ff5093788240e2c6b203aa2fa11f240359c4468633bac336f63bc2cbbf2d2cb767d7d88d81dc8051d6ebc94a9668c7771c7fa91fa2f519ee93952b6e70442	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3BC0380B33C3F6A60C86152293D9DFF54B81C004\Blob = 0300000001000000140000003bc0380b33c3f6a60c86152293d9dff54b81c00409000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050508020206082b0601050507030606082b060105050703070b000000010000002800000054007200750073007400690073002000460050005300200052006f006f007400200043004100000020000000010000006b030000308203673082024fa00302010202101b1fadb620f924d3366bf7c7f18ca059300d06092a864886f70d01010505003045310b300906035504061302474231183016060355040a130f54727573746973204c696d69746564311c301a060355040b1313547275737469732046505320526f6f74204341301e170d3033313232333132313430365a170d3234303132313131333635345a3045310b300906035504061302474231183016060355040a130f54727573746973204c696d69746564311c301a060355040b1313547275737469732046505320526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c5507b9e3b35d0dfc48ccd8e9beda3c03699f442eaa73e80830fa6a75987c99045437e00ea86792a03bd3d37998966b7e58a5686939c684b68048c9393023e30d2373a2261891c854e7d8fd5af7b35f67e28478931dc0e79641f99d25bbafe7f60bfadebe73c38296a2fe5910b55ffec6f58d52dc9de4c66718f0cd704da07e61e18e3bd2902a8fa1ce15bb983a84148bc1a718de762e52db2ebdf7ccfdbab5aca31f14c22f30513f782f973790cbed74b1cc0d1153c934164d1e6be23172200895e1f6ba5ac6ea74b8ceda372e6af634d2f85d214359a2e4e8cea32982886a19109413ab4e1e3f2faf0c90aa241dda9e303c788153b1cd41a94d79f6459126d0203010001a3533051300f0603551d130101ff040530030101ff301f0603551d23041830168014bafa7125798b57412521860b71ebb2640e8b2167301d0603551d0e04160414bafa7125798b57412521860b71ebb2640e8b2167300d06092a864886f70d010105050003820101007e58fffd35197d9c184f9eb02bbc8e8c14ff2ca0da475bc3ef812daf05ea74485bf33e4e07c76dc5b393cf22355cb63f75275f0996cda0febe400c5c1255f89382ca29e95e3f56578b3836f7451a4c28cd9e41b8ed564c84a440c8b8b0a52b6970046ac3f8d41232f90ec3b1dc3284442c6fcb460fea66410f4ff158a5a60d0d0f61dea59e5d7d65a13c17e7a8554eefa0c7edc6447f54f5a3e08ff07c55228f29b681a3e16d4e2c1b8067ecad209f0c6261d597ff43ed2dc1da5d292a853fac65ee860f058d905fdfee9ff4bfee1dfb98e47f902b8478100e6c4953ef155b65464a5dafbafb3a721dcdf625881e97cc219c29010d65eb57d9f35796bb48cd81	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CE6A64A309E42FBBD9851C453E6409EAE87D60F1\Blob = 0b000000010000008e00000056006500720069005300690067006e00200043006c006100730073002000310020005000750062006c006900630020005000720069006d006100720079002000430065007200740069006600690063006100740069006f006e00200041007500740068006f0072006900740079002000280050004300410031002000470031002000530048004100310029000000090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308030000000100000014000000ce6a64a309e42fbbd9851c453e6409eae87d60f12000000001000000400200003082023c308201a502103f691e819cf09a4af373ffb948a2e4dd300d06092a864886f70d0101050500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732031205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830323233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732031205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100e519bf6da356612d994871f667deb98debb79e86800a910efa3825af468882e573a8a09b245d0d1fcc656e0cb0d0568418879a069b10a173dfb458396b6ec1f615d5a8a83faa12068d31ac7fb034d78f34678809cd1411e24e4556691f780280dadc479129bb36c9635cc5e0d72d877ba1b732b07b30ba2a2f31aaeea367dadb0203010001300d06092a864886f70d010105050003818100581529393c77a3da5c25037c60faee09993c271070c80c09e6b387cf0ae218963562ccbf9b2779895fc9c409f4ceb51ddf2abde5db869c6825e5307cb68915fe67d1ade150ac3c7c624b8fba84d712151b1fca5d0fc152942a1199da7bcf0c3613d535dc101959ea94c100bf758fd9fafd7604db62bb906a03d94635d9f87c5b	updroots.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\EE29D6EA98E632C6E527E0906F0280688BDF44DC	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4054DA6F1C3F4074ACED0FECCDDB79D153FB901D\Blob = 0b000000010000001e000000440053005400200041004300450053002000430041002000580036000000090000000100000016000000301406082b0601050507030406082b060105050703010300000001000000140000004054da6f1c3f4074aced0feccddb79d153fb901d20000000010000000d04000030820409308202f1a00302010202100d5e990ad69db778ecd807563b8615d9300d06092a864886f70d0101050500305b310b30090603550406130255533120301e060355040a13174469676974616c205369676e61747572652054727573743111300f060355040b13084453542041434553311730150603550403130e4453542041434553204341205836301e170d3033313132303231313935385a170d3137313132303231313935385a305b310b30090603550406130255533120301e060355040a13174469676974616c205369676e61747572652054727573743111300f060355040b13084453542041434553311730150603550403130e445354204143455320434120583630820122300d06092a864886f70d01010105000382010f003082010a0282010100b93df52cc994dc758a955d63e884777666b959915c46dd923e9ff90e03b43d6192bd2326b563ee92d29ed63cc80d905f6481b1a8080d4cd8f9d3052852b40125c5951c0c7e3e108475cfc1199163cfe8a89188b94352bb80b155898b31fad0b776be413d309aa422251773e81ee2d3ac2abd5b3821d52a4bd7557de33a55bdd76d6b02576be6477c08c882badea7873da16db83056c2b302815f2df5e29a301828b866d3cb01966fea8a4555d6e09dff672b1702a64e1a6a110b7eb77be798d68c766fc13bdb50937ee5d08e1f37b8bdbac69f6ce97c33f2323c2647fa272402c97e1d5b8842136a357c7d35e92e66917293d53226c474f553a3b35d9af609cb0203010001a381c83081c5300f0603551d130101ff040530030101ff300e0603551d0f0101ff0404030201c6301f0603551d11041830168114706b692d6f70734074727573746473742e636f6d30620603551d20045b30593057060a608648016503020101013049304706082b06010505070201163b687474703a2f2f7777772e74727573746473742e636f6d2f6365727469666963617465732f706f6c6963792f414345532d696e6465782e68746d6c301d0603551d0e041604140972064e18430fe5d6ccc36a8b317b788fa883b8300d06092a864886f70d01010505000382010100a3d88ed6b2dbce05e732cd01d30403e576e4562b9c9990e808306cdf7d3deee5bfb524408449e1d128aec4c23a533088f1f5776e51cafaff99af245f1ba0fdf2ac84cadfa9f05f042ead16bf219710813de3ff878d32dc94e5478a5e6a13c994953dd2eec83495d080d4ad320880543ce0bd5253d7527cb2693f7f7acf6a74cafa042a9c4c5a06a5e920ad45660f69f1ddbfe9e3328bfae0c1864d723c2ed893780a2af8d8d2273d19895f5a7b8a3bcc0cda51aec70bf72bb03705ecbc5723e238d29b68f35612884f427cb831c4b5dbe4c82134e9481135eefac79257c59f34e4c7f6f70e0b4c9c68787b7131c7eb1ee06741f3b7a0a7cde57a33366afa9a2b	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0409565B77DA582E6495AC0060A72354E64B0192	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4ABDEEEC950D359C89AEC752A12C5B29F6D6AA0C	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3F85F2BB4A62B0B58BE1614ABB0D4631B4BEF8BA\Blob = 0b000000010000001200000056006500720069005300690067006e00000009000000010000002a000000302806082b0601050507030406082b0601050507030206082b0601050507030306082b060105050703010300000001000000140000003f85f2bb4a62b0b58be1614abb0d4631b4bef8ba200000000100000006030000308203023082026b02107eb611ab32c841db5eac01e3959efffd300d06092a864886f70d01010505003081c1310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e313c303a060355040b1333436c6173732034205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204732313a3038060355040b1331286329203139393820566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d060355040b1316566572695369676e205472757374204e6574776f726b301e170d3938303531383030303030305a170d3138303531383233353935395a3081c1310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e313c303a060355040b1333436c6173732034205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204732313a3038060355040b1331286329203139393820566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d060355040b1316566572695369676e205472757374204e6574776f726b30819f300d06092a864886f70d010101050003818d0030818902818100baf0e4cff9c4ae8554b90757f98fc57f6811f8c417b044dce33073d52a622ab8d0cc1ced285b7ebd6adcb39124ca41623cfc0201bf1c1631940597766ea2adbd61176c4e3086f051372a50c7a86281dc5b4aaac1a0b46eeb2fe557c5b12b4070db5a4da18e1fbd031fd803d48f4c9971bce282cc58e8983a86d38638f300291f0203010001300d06092a864886f70d0101050500038181008a68628772e784900902db00b128ff18c5b563649a2bc1d2f75fe81f0cafc9ebf51da1047e3fe3a68ec71dfd2810757c3fcaf91726276f2bc1dbc9c36b7ca6c6dce55a8dfbef40c887ef1950365787f1f23fe5eaa3969997ad99af3bbf84b7d59e6c8b0aa3efe762fba677e82f4e86dd31a2f3ca5698ec879ed982af845241e8	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDE1D2A901802E1D875E84B3807E4BB1FD994134	updroots.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0CFD83DBAE44B9A0C8F676F3B570650B94B69DBF	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\20CB594FB4EDD895763FD5254E959A6674C6EEB2\Blob = 03000000010000001400000020cb594fb4edd895763fd5254e959a6674c6eeb2090000000100000056000000305406082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070308060a2b0601040182370a0304060a2b0601040182370a030c06082b060105050703090b00000001000000340000004d004f004700410048004100200047006f007600740020006f00660020004b006f007200650061002000470050004b004900000020000000010000008e0300003082038a30820272a003020102021045f8e0e401c53e71e6bd716d979c4123300d06092a864886f70d0101050500304f310b3009060355040613024b52311c301a060355040a1313476f7665726e6d656e74206f66204b6f726561310d300b060355040b130447504b49311330110603550403130a47504b49526f6f744341301e170d3037303331353036303030345a170d3137303331353036303030345a304f310b3009060355040613024b52311c301a060355040a1313476f7665726e6d656e74206f66204b6f726561310d300b060355040b130447504b49311330110603550403130a47504b49526f6f74434130820121300d06092a864886f70d01010105000382010e0030820109028201005a2b41159bdb762601f054720b87131fa0d03f96aa0db33481de485a9ff3705ac2f13a9e04f04e947997e1f4b5144cd76fc48b18b7dc122b1d0a9bee200c5b8ffff9af829e9846d03d5d28f39716c15ce556bf44a400a17acb9b7a5bdcd4edfbf2a00267001e44e58a01dca5a34efed60c67ca49b9f0d0a0f94d1f03d386ef0d85754df3edfbcd6a660457f4579bac668a4fc2a84f718909dd4c00df96bbd5900ab4b66a6dc6bfd39929ff62f010da45ac09720b8210e815a88b5fe2a25a791ec267fde944570b03d0211551b000f38f6de223f04921d96dcf623decebfd2892013f7aa3727cebf3aee7f80aec6ead7a9b55c9304b9cb661466b581afe9f481d0203010001a3633061301f0603551d23041830168014166732f4685e683147dbedecce612e9a2446c47d301d0603551d0e04160414166732f4685e683147dbedecce612e9a2446c47d300e0603551d0f0101ff0404030201ae300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100356352c660181cb7c2c15a5802ec07d5a19093fc8047d05278ab85f876d3b8b01832a0b6906813663d6faf8edcf6a3c4ce395fafed0a66e07c11c80ccb9e1f38298a8bdec8632ec7b4d2ce369194e04f8492b6aa22a8fd31a73348c95bf613d81616eb1f3fa54e06933ad906653096fa8d06dba11af42bfa0f68f0c12b7c9d05d709423bd22f9190fc0e6b385bb275a9579c5764f59820a4ffd43004e4ce1f90c92fc1df5a56b8cbaaaab4bfebb8f7224a4dc135f465bd78bc6f781b563a81e80df5c2a51730d38d5777cba5c14cb130dd34b8ab920a2202368bf66cf761b908ee30ad1aa844f12e32ec83a248483a675fe96f1b1733082ac1c9c3679a0e8567	updroots.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4\Blob = 0300000001000000140000004f65566336db6598581d584a596c87934d5f2ab409000000010000002a000000302806082b0601050507030406082b0601050507030206082b0601050507030306082b060105050703010b000000010000001200000056006500720069005300690067006e0000002000000001000000410200003082023d308201a6021100e49efdf33ae80ecfa5113e19a4240232300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3034303130373233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d0101020500038181006170ec2f3f9efd2be6685421b06779080c2096318a0d7abeb626df792c22694936e397776261a232d77a542136ba02c934e725da4435b0d25c805db394f8f9aceea460752a1f954923b14a7cf4b34772215b7e97ab54ac62e75decae9bd2c9b224fb82ade967154bbaaaa6f097a0f6b0975700c80c3c09a08204ba41daf799a4	updroots.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CFF810FB2C4FFC0156BFE1E1FABCB418C68D31C5	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3BC49F48F8F373A09C1EBDF85BB1C365C7D811B3	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7F8A77836BDC6D068F8B0737FCC5725413068CA4\Blob = 0300000001000000140000007f8a77836bdc6d068f8b0737fcc5725413068ca4090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703080b00000001000000540000004100750074006f00720069006400610064002000640065002000430065007200740069006600690063006100630069006f006e0020006400650020006c0061002000410062006f006700610063006900610000002000000001000000c0040000308204bc308203a4a003020102021000908b324fc1901aceb4c33809cdcfe4300d06092a864886f70d01010505003079310b300906035504061302455331363034060355040a132d436f6e73656a6f2047656e6572616c206465206c612041626f6761636961204e49463a512d323836333030364931323030060355040313294175746f72696461642064652043657274696669636163696f6e206465206c612041626f6761636961301e170d3035303631333232303030305a170d3330303631333232303030305a3079310b300906035504061302455331363034060355040a132d436f6e73656a6f2047656e6572616c206465206c612041626f6761636961204e49463a512d323836333030364931323030060355040313294175746f72696461642064652043657274696669636163696f6e206465206c612041626f676163696130820122300d06092a864886f70d01010105000382010f003082010a0282010100b4b257ee85f023e80dfbb28084f11067abb2f949df5cde5be48f291953c9d5e81c506b61028c87f08f3cc145920bac99a1c61a85d63dad7e26a61db83db2b33e8ac50a32d34b91ef49757e56f7fea00862462bceeaf2519f60de32c8ed1aa7cf755ceb3dc0bd9a48a58694ce585014ea6ae19af48c6595e16015259512f6ba788bb2c0ede66c97245a1de47443ca38c43594588ef58ab0683c282c449609bf095b720ae7673c90b954387454bb6d2d6a43c8bcef09ac1f23e852565e35175f2bbb5ecd6552a5147c3bb2aae9dd27b537233b060d2c7b8dbada6f661786a7b6d71e075d1e6c1997c8e5237378d1aef91ebaa1ae4922ed65711f7ff75a74448d430203010001a382013e3082013a30370603551d110430302e8111616340616361626f67616369612e6f72678619687474703a2f2f7777772e616361626f67616369612e6f7267300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301106096086480186f8420101040403020007301d0603551d0e04160414fc884c8e6d04a12090d3f81c9ab367045f7980c63081ab0603551d200481a33081a030819d060b2b060104018181150a010130818d302906082b06010505070201161d687474703a2f2f7777772e616361626f67616369612e6f72672f646f63306006082b0601050507020230541a52436f6e73756c7465206c61206465636c61726163696f6e206465207072616374696361732064652063657274696669636163696f6e20656e20687474703a2f2f7777772e616361626f67616369612e6f7267300d06092a864886f70d0101050500038201010098a7fa39b57311267fbc893fb46b2533310a86386bc91e159714e0d24c2d85f43c749b8d2811fbcc0e26b9808316d1f94698b646078e66856d70c0ba4c80f3a4f0d537542baf66847273f9482f09cee18501ca8fe087dea097d094b40db54d0e672cc860c43294c04181078dbabfa9e80c409a4278055d81eb621ce44f140a3d0b3e1fe9f4cd7dee45bbbcde5df39897267bc61329f82b7f1ad4eafab26e209eda17eaa192bd37e90ebbbb91d525f6605d8521505bff545df54b3bb4c329115802f625e4e18282bba28de791245e40919e47078c3357d4623151767585436f09ab11a52529b9d8ff5fa5f73feb653b1def86e51622d51eca32697d7e05d73027	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B80186D1EB9C86A54104CF3054F34C52B7E558C6\Blob = 030000000100000014000000b80186d1eb9c86a54104cf3054f34c52b7e558c609000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703090b0000000100000014000000540072007500730074007700610076006500000053000000010000002600000030243022060c6086480186fd64010102040130123010060a2b0601040182373c0101030200c02000000001000000340400003082043030820318a003020102021050946cec18ead59c4dd597ef758fa0ad300d06092a864886f70d0101050500308182310b3009060355040613025553311e301c060355040b13157777772e7872616d7073656375726974792e636f6d31243022060355040a131b5852616d7020536563757269747920536572766963657320496e63312d302b060355040313245852616d7020476c6f62616c2043657274696669636174696f6e20417574686f72697479301e170d3034313130313137313430345a170d3335303130313035333731395a308182310b3009060355040613025553311e301c060355040b13157777772e7872616d7073656375726974792e636f6d31243022060355040a131b5852616d7020536563757269747920536572766963657320496e63312d302b060355040313245852616d7020476c6f62616c2043657274696669636174696f6e20417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010098241ebd15b4badfc78ca527b6380b69f3b64ea82c2e211d5c44df215d7e2374fe5e7eb44ab7a6ad1faee00616e29b5bd967746b5d808f299d861bd99c0d986d76102858e465b07f4a98799fe0c3317e802bb58cc0403b1186d0cba2863660a4d530826dd96ed00f120433975f4f615af0e4f991abe71d3bbce8cff46b2d347ce248611c8ef36144cc6fa04aa994b04ddae7a9347a7238a841cc3c94117debc8a68cb786cbca333bd93d378bfb7a3e862ce773d70a57ac649b19ebf40f04088aac03171964f45a25228d342cb2f6681d126dd38a1e14dac48fa6e22385d57a0dbd6ae0e9ecec17bb421b67aa25ed458321fcc1c97cd5623efaf2c52dd3fdd4650203010001a3819f30819c301306092b060104018237140204061e0400430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c64fa23d066384099cce62e404ac8d5cb5e9b61b30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e7872616d7073656375726974792e636f6d2f584743412e63726c301006092b06010401823715010403020101300d06092a864886f70d0101050500038201010091153903011b67fb4a1cf90a605ba1da4d9762f9245327d782644e902ec3491b2b9adcfca8786735f11df011bdb748e310f60ddf3fd2c9b6aa55a448ba02dbde592e155b3b9d167d47d737ea5f4d761236bb1fd7a181044620a32c6da99e017e3f29ce0093dffdc992738989649ee72be41c912cd2b9ce7dce6f3199d3e6bed21e90f00914795c23ab4dd2da211f4d99799de1cf279f109b1c880db08a644131b80e6c9024a49b5c718fbabb7e1c1bdb6a800f21bce9dba6b740f4b28ba9b1e4ef9a1ad03d6999eea828a3e13cb3f0b2119ccf7c40e6dde7437da2d83ab5a98df23499c4d410e106fd0984103beec44cf4ec277c42c2747c828a09c9b40325bc	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABB51672400588E6419F1D40878D0403AA20264	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6E3A55A4190C195C93843CC0DB722E313061F0B1\Blob = 0b000000010000004c0000004300680061006d006200650072007300690067006e0020004300680061006d00620065007200730020006f006600200043006f006d006d006500720063006500200052006f006f0074000000090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080300000001000000140000006e3a55a4190c195c93843cc0db722e313061f0b12000000001000000c1040000308204bd308203a5a003020102020100300d06092a864886f70d0101050500307f310b300906035504061302455531273025060355040a131e41432043616d65726669726d61205341204349462041383237343332383731233021060355040b131a687474703a2f2f7777772e6368616d6265727369676e2e6f726731223020060355040313194368616d62657273206f6620436f6d6d6572636520526f6f74301e170d3033303933303136313334335a170d3337303933303136313334345a307f310b300906035504061302455531273025060355040a131e41432043616d65726669726d61205341204349462041383237343332383731233021060355040b131a687474703a2f2f7777772e6368616d6265727369676e2e6f726731223020060355040313194368616d62657273206f6620436f6d6d6572636520526f6f7430820120300d06092a864886f70d01010105000382010d00308201080282010100b73655e5a55d1830e0da895491fcc8c752f82f50d9efb1757365477d1b5bba75c5fca18824fa2fedca084a3954c4517ab5da60ea383c81b2cbf1bbd991233f48017075a9052aad1f71f3c9543d1d066a403eb30c85ee5c1b79c262c4b8368e355d010c23044735aa9b604ea0663dcb260a9c40a1f45d98bf71aba500682aed837a0fa214b5d422b380b03c0c5a51692d58188fed999ef1aee295e6f647a8d60c0fb05858dbc366379e9b91543337d2941c6a48c9c9f2a5daa50c23f7230e9c32555e719c8405519a2dfde64e2a345adeca4037670c54215577da0a0ccc97ae80dc94364af43ece36131e53e4ac4e3a05ecdbae729c388bd0393b890a3e77fe75020103a38201443082014030120603551d130101ff040830060101ff02010c303c0603551d1f043530333031a02fa02d862b687474703a2f2f63726c2e6368616d6265727369676e2e6f72672f6368616d62657273726f6f742e63726c301d0603551d0e04160414e394f5b14de9dba1295b578b4d760676e1d1a28a300e0603551d0f0101ff040403020106301106096086480186f842010104040302000730270603551d110420301e811c6368616d62657273726f6f74406368616d6265727369676e2e6f726730270603551d120420301e811c6368616d62657273726f6f74406368616d6265727369676e2e6f726730580603551d200451304f304d060b2b0601040181872e0a0301303e303c06082b060105050702011630687474703a2f2f6370732e6368616d6265727369676e2e6f72672f6370732f6368616d62657273726f6f742e68746d6c300d06092a864886f70d010105050003820101000c4197c21a86c0227c9ffb90f31ad103b1ef13f9215f049cdac9a58d276c968791be4190017293e71e7d5ff689c65da740093dac494545dc2e8d3068b209bafbc32fccba0bdf3f777b467d3a12248e968f3c050a6fd294281d6d0cc02e8822d5d8cf1d13c7f048d7d705a7cfc7479e3b3c34c8804fd414bbfc0d50f7fab3ec425fa9dd6dc8f475cf7bc17226b1011c5c2cfd7a4eb401c50557b9e73caa05d988e9074641ceef4181ae58df83a2aecad7771fe7003c9d6f8ee432091d4d783478343c949b26ed4f71c6197abd2022485afe4b7d03b7e758bec6324e741e68dda8685bb33eee627dd980e80a757ab7eeb4659a2190e0aad098bc38b5733c8bf8dc	updroots.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7FB9E2C995C97A939F9E81A07AEA9B4D70463496	updroots.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A0F8DB3F0BF417693B282EB74A6AD86DF9D448A3	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7030AABF8432A800666CCCC42A887E42B7553E2B	updroots.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	updroots.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0409565B77DA582E6495AC0060A72354E64B0192	updroots.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\54F9C163759F19045121A319F64C2D0555B7E073\Blob = 03000000010000001400000054f9c163759f19045121a319f64c2d0555b7e073090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000004e000000430065007200740069007300690067006e0020004100750074006f00720069006400610064006500200043006500720074006900660069006300610064006f00720061002000410043003400000020000000010000006e0200003082026a308201d3a003020102020100300d06092a864886f70d01010405003072310b3009060355040613024252312e302c060355040a132543657274697369676e20436572746966696361646f7261204469676974616c204c7464612e31333031060355040b132a43657274697369676e202d204175746f72696461646520436572746966696361646f7261202d20414334301e170d3939303632373030303030305a170d3138303632373030303030305a3072310b3009060355040613024252312e302c060355040a132543657274697369676e20436572746966696361646f7261204469676974616c204c7464612e31333031060355040b132a43657274697369676e202d204175746f72696461646520436572746966696361646f7261202d2041433430819f300d06092a864886f70d010101050003818d0030818902818100ec83d4cc83903f5fecbec1e9d0c75846591ff1934ab217130bcf2999ab044533e3d15ebebc8e257762dd9b929b310a404579d5f2b3dd6cb940fd987f40a22de9b293bd4bd5c1dee9d1fa71f73f41bcf414afcd6bc8394a9d6065b484d06a41e963ae9b69eab9461cdb18083b624cde41d79e867f137211d4dceade60a5bbdd1b0203010001a310300e300c0603551d13040530030101ff300d06092a864886f70d010104050003818100295d8df6e753bdeca3811641b11ef8243da5b70e3ef37ffb8ec89ea356e71441df2e25dd4eed1240dfd94219c430989499528a23c069b59a827943dc89041f32bf6b8dbe2873294ca3fb54cd63fb5f546b521518a0ea95c70f09a9ef8fbeab6abcd6a806a4e2d27de3f24e10b9c03c2e25a1f293baa18db6af87c699d33ea11f	updroots.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\634C3B0230CF1B78B4569FECF2C04A8652EFEF0E	updroots.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

KB931125.exeKB931125.exe

description	pid	process
Token: SeRestorePrivilege	2732	KB931125.exe
Token: SeRestorePrivilege	2732	KB931125.exe
Token: SeRestorePrivilege	2732	KB931125.exe
Token: SeRestorePrivilege	2732	KB931125.exe
Token: SeRestorePrivilege	2732	KB931125.exe
Token: SeRestorePrivilege	2732	KB931125.exe
Token: SeRestorePrivilege	2732	KB931125.exe
Token: SeRestorePrivilege	2832	KB931125.exe
Token: SeRestorePrivilege	2832	KB931125.exe
Token: SeRestorePrivilege	2832	KB931125.exe
Token: SeRestorePrivilege	2832	KB931125.exe
Token: SeRestorePrivilege	2832	KB931125.exe
Token: SeRestorePrivilege	2832	KB931125.exe
Token: SeRestorePrivilege	2832	KB931125.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_7a50c28b9af18691eab4c788b1905ccf_magniber_metamorfo.exeKB931125.exeKB931125.exe

description	pid	process	target process
PID 3008 wrote to memory of 2732	3008	2024-05-24_7a50c28b9af18691eab4c788b1905ccf_magniber_metamorfo.exe	KB931125.exe
PID 3008 wrote to memory of 2732	3008	2024-05-24_7a50c28b9af18691eab4c788b1905ccf_magniber_metamorfo.exe	KB931125.exe
PID 3008 wrote to memory of 2732	3008	2024-05-24_7a50c28b9af18691eab4c788b1905ccf_magniber_metamorfo.exe	KB931125.exe
PID 3008 wrote to memory of 2732	3008	2024-05-24_7a50c28b9af18691eab4c788b1905ccf_magniber_metamorfo.exe	KB931125.exe
PID 3008 wrote to memory of 2732	3008	2024-05-24_7a50c28b9af18691eab4c788b1905ccf_magniber_metamorfo.exe	KB931125.exe
PID 3008 wrote to memory of 2732	3008	2024-05-24_7a50c28b9af18691eab4c788b1905ccf_magniber_metamorfo.exe	KB931125.exe
PID 3008 wrote to memory of 2732	3008	2024-05-24_7a50c28b9af18691eab4c788b1905ccf_magniber_metamorfo.exe	KB931125.exe
PID 2732 wrote to memory of 2824	2732	KB931125.exe	updroots.exe
PID 2732 wrote to memory of 2824	2732	KB931125.exe	updroots.exe
PID 2732 wrote to memory of 2824	2732	KB931125.exe	updroots.exe
PID 2732 wrote to memory of 2824	2732	KB931125.exe	updroots.exe
PID 2732 wrote to memory of 2824	2732	KB931125.exe	updroots.exe
PID 2732 wrote to memory of 2824	2732	KB931125.exe	updroots.exe
PID 2732 wrote to memory of 2824	2732	KB931125.exe	updroots.exe
PID 2732 wrote to memory of 2524	2732	KB931125.exe	updroots.exe
PID 2732 wrote to memory of 2524	2732	KB931125.exe	updroots.exe
PID 2732 wrote to memory of 2524	2732	KB931125.exe	updroots.exe
PID 2732 wrote to memory of 2524	2732	KB931125.exe	updroots.exe
PID 2732 wrote to memory of 2524	2732	KB931125.exe	updroots.exe
PID 2732 wrote to memory of 2524	2732	KB931125.exe	updroots.exe
PID 2732 wrote to memory of 2524	2732	KB931125.exe	updroots.exe
PID 2732 wrote to memory of 2588	2732	KB931125.exe	updroots.exe
PID 2732 wrote to memory of 2588	2732	KB931125.exe	updroots.exe
PID 2732 wrote to memory of 2588	2732	KB931125.exe	updroots.exe
PID 2732 wrote to memory of 2588	2732	KB931125.exe	updroots.exe
PID 2732 wrote to memory of 2588	2732	KB931125.exe	updroots.exe
PID 2732 wrote to memory of 2588	2732	KB931125.exe	updroots.exe
PID 2732 wrote to memory of 2588	2732	KB931125.exe	updroots.exe
PID 2732 wrote to memory of 2760	2732	KB931125.exe	updroots.exe
PID 2732 wrote to memory of 2760	2732	KB931125.exe	updroots.exe
PID 2732 wrote to memory of 2760	2732	KB931125.exe	updroots.exe
PID 2732 wrote to memory of 2760	2732	KB931125.exe	updroots.exe
PID 2732 wrote to memory of 2760	2732	KB931125.exe	updroots.exe
PID 2732 wrote to memory of 2760	2732	KB931125.exe	updroots.exe
PID 2732 wrote to memory of 2760	2732	KB931125.exe	updroots.exe
PID 3008 wrote to memory of 2832	3008	2024-05-24_7a50c28b9af18691eab4c788b1905ccf_magniber_metamorfo.exe	KB931125.exe
PID 3008 wrote to memory of 2832	3008	2024-05-24_7a50c28b9af18691eab4c788b1905ccf_magniber_metamorfo.exe	KB931125.exe
PID 3008 wrote to memory of 2832	3008	2024-05-24_7a50c28b9af18691eab4c788b1905ccf_magniber_metamorfo.exe	KB931125.exe
PID 3008 wrote to memory of 2832	3008	2024-05-24_7a50c28b9af18691eab4c788b1905ccf_magniber_metamorfo.exe	KB931125.exe
PID 3008 wrote to memory of 2832	3008	2024-05-24_7a50c28b9af18691eab4c788b1905ccf_magniber_metamorfo.exe	KB931125.exe
PID 3008 wrote to memory of 2832	3008	2024-05-24_7a50c28b9af18691eab4c788b1905ccf_magniber_metamorfo.exe	KB931125.exe
PID 3008 wrote to memory of 2832	3008	2024-05-24_7a50c28b9af18691eab4c788b1905ccf_magniber_metamorfo.exe	KB931125.exe
PID 2832 wrote to memory of 1292	2832	KB931125.exe	updroots.exe
PID 2832 wrote to memory of 1292	2832	KB931125.exe	updroots.exe
PID 2832 wrote to memory of 1292	2832	KB931125.exe	updroots.exe
PID 2832 wrote to memory of 1292	2832	KB931125.exe	updroots.exe
PID 2832 wrote to memory of 1292	2832	KB931125.exe	updroots.exe
PID 2832 wrote to memory of 1292	2832	KB931125.exe	updroots.exe
PID 2832 wrote to memory of 1292	2832	KB931125.exe	updroots.exe
PID 2832 wrote to memory of 308	2832	KB931125.exe	updroots.exe
PID 2832 wrote to memory of 308	2832	KB931125.exe	updroots.exe
PID 2832 wrote to memory of 308	2832	KB931125.exe	updroots.exe
PID 2832 wrote to memory of 308	2832	KB931125.exe	updroots.exe
PID 2832 wrote to memory of 308	2832	KB931125.exe	updroots.exe
PID 2832 wrote to memory of 308	2832	KB931125.exe	updroots.exe
PID 2832 wrote to memory of 308	2832	KB931125.exe	updroots.exe
PID 2832 wrote to memory of 1452	2832	KB931125.exe	updroots.exe
PID 2832 wrote to memory of 1452	2832	KB931125.exe	updroots.exe
PID 2832 wrote to memory of 1452	2832	KB931125.exe	updroots.exe
PID 2832 wrote to memory of 1452	2832	KB931125.exe	updroots.exe
PID 2832 wrote to memory of 1452	2832	KB931125.exe	updroots.exe
PID 2832 wrote to memory of 1452	2832	KB931125.exe	updroots.exe
PID 2832 wrote to memory of 1452	2832	KB931125.exe	updroots.exe
PID 2832 wrote to memory of 1088	2832	KB931125.exe	updroots.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-24_7a50c28b9af18691eab4c788b1905ccf_magniber_metamorfo.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_7a50c28b9af18691eab4c788b1905ccf_magniber_metamorfo.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\AppData\Local\Temp\{C5E7C5B7-2999-4f39-A3A0-1F2E55D89747}-TemporaryCache\KB931125.exe
"C:\Users\Admin\AppData\Local\Temp\{C5E7C5B7-2999-4f39-A3A0-1F2E55D89747}-TemporaryCache\KB931125.exe"
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe authroots.sst
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:2824

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe updroots.sst
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:2524

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe -l roots.sst
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:2588

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe -d delroots.sst
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760

C:\Users\Admin\AppData\Local\Temp\{C321322D-7187-4663-9B31-AA146BBE6819}-TemporaryCache\KB931125.exe
"C:\Users\Admin\AppData\Local\Temp\{C321322D-7187-4663-9B31-AA146BBE6819}-TemporaryCache\KB931125.exe"
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe authroots.sst
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1292

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe updroots.sst
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:308

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe -l roots.sst
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1452

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe -d delroots.sst
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W95INF16.DLL

Filesize
2KB

MD5
7210d5407a2d2f52e851604666403024

SHA1
242fde2a7c6a3eff245f06813a2e1bdcaa9f16d9

SHA256
337d2fb5252fc532b7bf67476b5979d158ca2ac589e49c6810e2e1afebe296af

SHA512
1755a26fa018429aea00ebcc786bb41b0d6c4d26d56cd3b88d886b0c0773d863094797334e72d770635ed29b98d4c8c7f0ec717a23a22adef705a1ccf46b3f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W95INF32.DLL

Filesize
4KB

MD5
88d01717dc4f1119ea925ff0217c5f49

SHA1
7da9c2e12283800f9896c1f15f789539529e00ec

SHA256
c6407f5792a945bf0948de191e6c54c4fbd2abcc0af3994140fb4319f685dbbd

SHA512
39ecd9d2bb8b4edf88b8882640ec49c061fa34496c026ad19adf4bc4462de3949c72ad00bcc2ca27d53596221c026e978f875bb6cf7e0e8c2d884c1d37a83781

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\authroots.sst

Filesize
73KB

MD5
bb49ccc10926cdb601eba81afef749a2

SHA1
a4766c9aea8d211e9632148fd4b625cece195be9

SHA256
f013ee3b7fede9a95844e83e83ee298d38cba6efce5a5cafcd8b95255c32f86c

SHA512
94c2809727039d1ed07a3742a4b2f9300e865ea7c49bc1fcf547a30238eeecc88d8dd06a2d4f3112317f948908b9af082b50f412a41a2bcb48d5e30d6d8ecbba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\delroots.sst

Filesize
9KB

MD5
7b32871e409608ff887b6cf4d87debb0

SHA1
191f9ea1298ee52dbd6f977b3584109a064f57b9

SHA256
3f01268547364d2d60a0f65b46757cccfd9225fc39d581846a8fbffdb5756ff2

SHA512
534a384f7946db4083e639b8e02d83ac97293c60630b8811a84c85e0330e9c293f05f5cf71e0f3580551e7923bc5a3bfb7f0406432ca3cdb7efeb4a950ac5e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\roots.sst

Filesize
7KB

MD5
9e5de0fd1f90486a66dee4bfe89a78d7

SHA1
90e3188ef63495aaa71c85d4ff0f23253c834b40

SHA256
8b95ff56d61586582864d05563762615c8705779578dca3c98a303c3b1f4122e

SHA512
60006fa6f57e4d280642d51055f85f8d27b913ce71373de5b928c515c77647295030ab73ab4a55024de4a40c18f200909f49ffb52c26cf554835fc3d4cc348f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rootsupd.inf

Filesize
1KB

MD5
421e60325404f5f29ac04c9b9d59096b

SHA1
aace2fd74d799e8af5c8d5b2646361bb67a1620c

SHA256
571a8da5298aacc37700c747ee5d72b5a7797835140e7a4d4f895e9604574d77

SHA512
86693975b1b187ee65b0a23b1f3f8e05d1a3f61e7e47b060f938fe1602bbad96021847b709e64c2d5a295b72f10f4db587a11a1e7ca0a0b64c3bed7fa683b1d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.sst

Filesize
320KB

MD5
2d9b4498c847715418160bfd7e7c8a2d

SHA1
e0873091d476d2566aa6fc988cb364247c95dc97

SHA256
c49c05b701c390c679e5e3226ec621f22a08155b1065fcfc37b509f648f03b41

SHA512
dcf3208cdd1e4353f82823f796d735c1209f149f183eea827a90753ec55509a1c460a16c120e07c12a5eacf0e67d2661c25638491ecf4403e25d6508983e519b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL

Filesize
89KB

MD5
a64e4b204d44548eeb5c3d86eca2ad70

SHA1
e3245bf6dbb2e56d71a9cbad2697aa4fa0df6bbe

SHA256
985a5603ebf94539ac11549999f83b5e6dc008180994898c5daa6fd31ae1e9dc

SHA512
dca4099318954bab5f1204645be0d0e8fea0c2e97ee95496fa884fbed627e376358623fa94c39bf0abe97d07d46a7e6c5e1081496cdd1987e07e595995a46cd5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe

Filesize
5KB

MD5
9c18ae971cbffb096952177f6804ea31

SHA1
bb255dd1bd9bb39cdbb8671af66054432c686828

SHA256
2703c25453b09c40ee81fdc458b8cc24712e387a12d15ff94e12b02921fe98cb

SHA512
21086509bb4ea5afede55d034955de0bdf8b366d5d8d4bfa7a6c68b0f35fbf217ff3e932f87fc1d37f09022805e79ceeecbaf3dbccbd96d7c93029ffe7370e4c

Download Submit
\Users\Admin\AppData\Local\Temp\{C5E7C5B7-2999-4f39-A3A0-1F2E55D89747}-TemporaryCache\KB931125.exe

Filesize
349KB

MD5
4a4d72d34f9da1fc5019e0748fcde2f5

SHA1
f54752ec63369522f37e545325519ee434cdf439

SHA256
83b660f3f3eaddd4b388ed3f806f7444f03429fb63fc1f8db3d86294914a05ca

SHA512
95986ffbf51483a0d1a256028847c7ee6ac73ffd62f6d838309a69e1833f719a7cfed5422815f4d4a49dbd599c449f8db8f60273136720cb1da5f8b0eb24cb33

Download Submit
\Users\Admin\AppData\Local\Temp\{DBAC0299-AEF2-4ce7-8F31-9F1B413CF952}-TemporaryCache\7z.dll

Filesize
1.1MB

MD5
f0fef6362d4886e85a186a5e3766650a

SHA1
65843b7052a4d1b84762479d79445c46834e18b5

SHA256
15b9fe7d408cbf2204039087526e7df947df57b42ea479e303b682e956638816

SHA512
3f6dfd701cf62b77219f8825a2257c4bd7d44ebafc5654b06abaf906ced2571f4eeb04fe22ae6136c14bddebddb12555aa6efd322e779443d57bb122ea786043

Download Submit