dc626f8f3b32c1e751d02c3e881bdfdc701a8db9dcb11a424b68f69fd7c4ce5c

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

-.exe
Size

325KB
MD5

04704493bcdc4d0c1c9d0fd8ebf5afbc
SHA1

95d64b037a8d0c5d8318a7c1429d89529ac5c766
SHA256

28225c5622637cdaed8342e14560e8de7b53dd6ba145d973643fc4b5bdd67b75
SHA512

ed06b9f7931326ff6923b65e95db45931b21995aa8b52eb26f578017e5b60bee7139251bc3fedc65fc7becb7e1d7d4dfdaa17361d01d8d36ebd770c9142c5c8d
SSDEEP

6144:daVWdyzOxeA1DfdwX3MmIO12waD3ioZjkzQAqnee7j/lEm5sQ71oJwZzyIrz:dMROxdDfOnMmXa3ioVTPee9t5sgoJqrz

Score

8^/10

discovery spyware stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
3004	setup-stub.exe
572	download.exe
872	setup.exe

Loads dropped DLL 12 IoCs

pid	Process
1452	-.exe
3004	setup-stub.exe
3004	setup-stub.exe
3004	setup-stub.exe
3004	setup-stub.exe
3004	setup-stub.exe
3004	setup-stub.exe
3004	setup-stub.exe
3004	setup-stub.exe
3004	setup-stub.exe
572	download.exe
872	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/1452-0-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral3/memory/1452-101-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral3/memory/3004-144-0x00000000054D0000-0x0000000005516000-memory.dmp	upx
behavioral3/memory/572-351-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\defaultagent.ini	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_70.png	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\lgpllibs.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\omni.ja	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nss3.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\libEGL.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\xul.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nssckbi.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\freebl3.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\application.ini	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsy9AEC.tmp\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-string-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\AccessibleHandler.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\osclientcerts.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozwer.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\d3dcompiler_47.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\xul.dll.sig	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\platform.ini	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsy9AEB.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_150.png	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozavcodec.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe.sig	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-convert-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\tobedeleted\nsyECEA.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozavutil.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\tobedeleted\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\locale.ini	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\msvcp140.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsy9AEC.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\vcruntime140.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\ipcclientcerts.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsy9AEA.tmp\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.ini	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.ini	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	setup-stub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	-.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup-stub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	download.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430499228"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb47000000000200000000001066000000010000200000008e5792924bc2ccd0b308ab290f916bca4e44070b3484dfc0590233aa77b8113d000000000e8000000002000020000000ee9deecce71bc57db2f12c95b52aadd7108afe5a2f2c67def72f8dcbd5aa2abf200000008310fc2ca28ac02d2f60fecf1ed80ce0e5e1b724407e493b650b991d07c1a3e9400000003c9ea2ecf8e5983b133bac3bf5c756057b57318bf3226e0beb1689a23794e7756dd17100d0abfd93728da59c968ad1135eaa73dfc0d39d44457b2d4836f504e2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb4700000000020000000000106600000001000020000000aed22b5421adba76db76c3289627ed5a25a36441edd4e38e66a47283e9a38ace000000000e8000000002000020000000afe76248431e2ab4504168a9d2608afaed15c2d11b3a07ce23c20bb3e2235385900000008974b03bf7e00f03559a3a18cb23760619517d30f8d594e353d67d8715d297c02a0aae1b403e558e6d0f913196b8ba852e95f951b3ab46d60c73b599ffc02cf3a7001a5b77675e3c933a570cf117f33fe8e0e007fc9b25a38bed8fb31d410cb95f452a5e174fba5577bd14dbcc5680ca880b02d35c0bc1595c9f9b8dae0be52f76e2a3a64b542cfc9cbb8efc5a78db9c4000000072a8f2c94adf519457f183e1f0e1158f021d08a0bf9d4906fe92d2dca50f2f6119c65475936cc8e94c3ce908df0d2ba67afc58a99dbfc857c2a70238e0c9d8be	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	setup-stub.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CCABC191-6093-11EF-A7C8-6EB28AAB65BF} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50f0aca5a0f4da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup-stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	setup-stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	setup-stub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	setup-stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	setup-stub.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3004	setup-stub.exe
1604	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3004	setup-stub.exe
3004	setup-stub.exe
1604	iexplore.exe
1604	iexplore.exe
2588	IEXPLORE.EXE
2588	IEXPLORE.EXE
2588	IEXPLORE.EXE
2588	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 3004	1452	-.exe	30
PID 1452 wrote to memory of 3004	1452	-.exe	30
PID 1452 wrote to memory of 3004	1452	-.exe	30
PID 1452 wrote to memory of 3004	1452	-.exe	30
PID 1452 wrote to memory of 3004	1452	-.exe	30
PID 1452 wrote to memory of 3004	1452	-.exe	30
PID 1452 wrote to memory of 3004	1452	-.exe	30
PID 3004 wrote to memory of 572	3004	setup-stub.exe	33
PID 3004 wrote to memory of 572	3004	setup-stub.exe	33
PID 3004 wrote to memory of 572	3004	setup-stub.exe	33
PID 3004 wrote to memory of 572	3004	setup-stub.exe	33
PID 572 wrote to memory of 872	572	download.exe	34
PID 572 wrote to memory of 872	572	download.exe	34
PID 572 wrote to memory of 872	572	download.exe	34
PID 572 wrote to memory of 872	572	download.exe	34
PID 572 wrote to memory of 872	572	download.exe	34
PID 572 wrote to memory of 872	572	download.exe	34
PID 572 wrote to memory of 872	572	download.exe	34
PID 872 wrote to memory of 1604	872	setup.exe	35
PID 872 wrote to memory of 1604	872	setup.exe	35
PID 872 wrote to memory of 1604	872	setup.exe	35
PID 872 wrote to memory of 1604	872	setup.exe	35
PID 1604 wrote to memory of 2588	1604	iexplore.exe	36
PID 1604 wrote to memory of 2588	1604	iexplore.exe	36
PID 1604 wrote to memory of 2588	1604	iexplore.exe	36
PID 1604 wrote to memory of 2588	1604	iexplore.exe	36

C:\Users\Admin\AppData\Local\Temp\-.exe
"C:\Users\Admin\AppData\Local\Temp\-.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Users\Admin\AppData\Local\Temp\7zSCA5D9A86\setup-stub.exe
  .\setup-stub.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\nst9ACA.tmp\download.exe
    "C:\Users\Admin\AppData\Local\Temp\nst9ACA.tmp\download.exe" /LaunchedFromStub /INI=C:\Users\Admin\AppData\Local\Temp\nst9ACA.tmp\config.ini
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:572
  - - C:\Users\Admin\AppData\Local\Temp\7zSC32BCDC6\setup.exe
      .\setup.exe /LaunchedFromStub /INI=C:\Users\Admin\AppData\Local\Temp\nst9ACA.tmp\config.ini
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:872
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.mozilla.org/firefox/system-requirements/
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1604
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1604 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
52310e4c2ab635e17b3590065a16adbf

SHA1
a897b1883d7846a21cef5fa05a7e51f99961e9eb

SHA256
d29726d735d34a66564ffcc3a5e019a8b8273a5145bdc70d30dca4b675d05e22

SHA512
1943e081627f15b0aa9de7a981bdf94757aca2400bff62c980c4256eeacde5cb935786e2c6409b0e886809352cf45e298e7965f7abfd041c861d14bf171eb0be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b96934261522d663596bbd3378b3e523

SHA1
441738fc6dce9ef0327099e0fadf48d20ad6de10

SHA256
32bc41585db833d0a84ff39748713f3ff7e7e89edf162e1cddf55d2f19c96388

SHA512
7303c092a6eaedd6da95867acf0a6af18f3c5ddf57ddac839f36dfcc7adfaeabbc7ef6a47b91dbba8c85e585da34a8e356afc899eefe3115cb76848bed582431

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53dab89a342f8bbd82b054fd15a1c054

SHA1
b60254f744fa9d01bb248fd6a470f14d9068541e

SHA256
ae172c0ed5459b8e7462f63ca2ef518faf15bdc8b06ea95a7442b00a531db62e

SHA512
c0cc365a4fbe9fbc987badba6e42c292b5aee134bc985b818cb3f0f6a3bc6f9149959924e6cfe2b519c0cf18ff8f36a162127f615e0d475e0c0fe99d932cfb85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9a4205bcc1167395c21d19f3ff38328

SHA1
3403822cad45553ba49905ff8026cf2277e4a0e7

SHA256
cfa480d82e4954881fdd6f700047553c12eab45020bf50bd0ea3da5e1b55fc30

SHA512
b47539cb4b2de1b2834a51425d486a399b53bbbccda98f1aa839e23d00508c633e78301fd2d0d368b904215251a89d7d3bf3aa2c0b96cfbbd92a9d962bbcda33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c0caa6efb77604a7351deda2ce3d067

SHA1
0365d80ace1bffed9469e2ab8a4c33645fe5b6a0

SHA256
780473f7504ee7712895838e3e8b5ba984489fd2c2b14c44f9aae20e3779f23e

SHA512
7e9c2bae5e67fdb69de66ec0c09c2cbcb2b3dbb6dacb3f808ab723fd5e349b4833f9163b6d08b58b46eb601dc55b7341c18332d415669b42bcb87ffc8b42b011

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6f5a9af45fb1b3556a418d65793d264

SHA1
04944e90570e02f724ab1fadc2f67f624c425b55

SHA256
11a07ec25d42e905eb6a67189ea95b2d4fd433f27f819c585a5079d0bfe057db

SHA512
3f5c2d9062d079e284a8eb4a499628e189b3ffc6c077b67bd001db9c11dc9187d2431dacc5fb1c35b004a2a00381a690135eb8ad9d576aec89e5c73aa925bb51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03e911bfdf1a9e1c81cf0cb121dc799a

SHA1
0112aa2077bfb9116e68e7292d11e80674bf2801

SHA256
dcf61a5fcbfe5e2970243863c1623b00e7471eba78792ceb67e36c9b461b64c5

SHA512
800c361d9485aad85ef09ab92b7e7f3f99d51e1ac77105596295bbc80127af0c5cb0823a0e68b563fed9bbff80be691757f6621fe0a1ea31aaf59cc45a54bb22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b492008f5c6b35f7bd61061bbb5ae4b

SHA1
3847e4a7193516507cb31139055a0053c9b63e38

SHA256
e832fef1e365f3a366217c361f653f517c64f8d898f89b432906e582b361bf8c

SHA512
635bceb8187a2c54cb278d842827c365c5ae3b7fe6cb0524234f6dd06507f10796f427374db78b485a4e569664c1a22c03799093566af2afc8220accf5ea4ce5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e457625e66791b4d2d8188281bf4e882

SHA1
1a3ea69d07ff175a7caa24cfc3849abaa9e289ed

SHA256
65a5540e02928b274b2e97d37864f5fc57ea9a54c2260f59ed4bc1770303b24f

SHA512
8ed6c9ede7ca24ed6fbe3d17b48cf8a6af903db551edd031b5e70cec6784718803988965045915df2f84013d4a31bbe50437402398e5be924fc235d5ce66d177

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d41bf34ae16d8fc97a183ccbedb70f6b

SHA1
02acfb09b6902f1c04f2d60411541285f2e01aeb

SHA256
ec4a13c12805013dc775e97e99f4cc204fd434eaef58031e2a5c599ccdcb093f

SHA512
2375056782bfb8acefe11f4dbd50f577eb33923d61f46cfc34158db95b3c3a6dbdc1ec7307d893a4b89845190e92af04a51a107d133b86fd11c07c4a07a9ac6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ddeb389c3caa547f445959a8a4fc614

SHA1
8bb6511a992804df9ef8645e0d9a661aae9a2f4c

SHA256
c6a393b956efcdbc4a6a42237b44459b41ff39f7ff14099152b659e97b9e496b

SHA512
517c0c18d077eb55380570ff4581daaa593dde79d100a6d3321d1c408800a5aaafc4968df062834d422a37cbc41f0b46f185ac37a5313a04ee4c73e5057499eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6348c35b310de0f3b16e79142292f874

SHA1
259952329120cde4c94b1399dab2f3c08e312e36

SHA256
1b9e9f7e94efa9168c1f13c8ce9406768099d1e833bd20568066aade56f2eb11

SHA512
5cd97a3c6f17e61f593088399e956a873a05ec1beec869644d7cce21b9fdee0124866272b171905e4b56985b207ebbb1af5e5290fc5182a2ca116ae0912744ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f45f79c71b7802e31d032fb4ceb500e5

SHA1
64e6312ffbeff64e13d5a580330fd41bfa16131a

SHA256
16ef46f413b3f82947504f08044dc30e0f3118ae7bead200ba527eb28f9c50ba

SHA512
5964e54a80b5f65bcc7755872d507498b1d7d4f4a875fed97be19b1b2e4ec24d099a6a93e37272fac031a8d3aab69a75214bcd247736a71425a675c2280b68b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b15cfd5bea7de9f317b0d6d7e04114a1

SHA1
6a2352444300a84e5548844f7f3fca05b2418878

SHA256
8987431c6757eeddbe096deeef493810096a92ccb60d9f9216860ab71d901721

SHA512
bbdd1563613422e5116e0699930b4c8908b4b2544078f873d6ec08daebd2e54012ee00a1e17b26a819fe00aad01b9210f73e65071fc64d01ac3bd390149d4902

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
377141a1c71b98227327029f18e5bbd8

SHA1
263361e03879ac69d3878dc5a59f3088f183d022

SHA256
132c7ae02f9eac581f16ae76343620c10ece25e2e744a1d42ea13e7e6a50a48a

SHA512
a97a305301c64180cbb032cc81edeec483d983126b467da061a5225d93d285e119f6b67d38d32d8ce86bec753d31bfe8f51dd92ef06f43a9b3040ff38d92ce44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6fedf9562cb14e5ba5c00530ab9f2b6d

SHA1
7a941e7cb60d81038e91fc0e35a5b26473fddbe2

SHA256
145761e2462f67b2e1db21b9e0c4257590bada7d623f6b793a3b4be22fdac2d4

SHA512
745095bc0363b2cf0e2ee236ac476c9f8f126d23e6556a48a87f233c574b2aad66559c6c030513f485bf807cdc0fe20f9307c6ad49cd8c9baaf00b162f8b7c95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
203ca40c51b19684c6863e2ac24c0b09

SHA1
af8d24f6307b2af49b1eba4d40572af7c13c74e2

SHA256
ba61ac7828f38be0fa2a399130acff817498b2b5d4f445a12695abc6439c51c1

SHA512
d8a8b68dcf8a4dca160f5f2e05a11a88f0a1901c2151283f1bf28d4687d314a6fd3274ba9c946faff4baa61c4cd8212b9782429a994cdb1a02e405695fff33a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0478e7f4a02f13a2e12cd9247f834d53

SHA1
bb4e9d1e17ea560b87b7033c712bd96090e837ff

SHA256
697676330cf92016374bed6ef8a111ba9ec85707af80c1939f2f1526b4096d85

SHA512
a625f033c05dc072b13c01450fdea2712dd42078fbb0d4502e1762515235c0d1bb3ea2d628f7435489d8c308a479b09b1481c3bd4bf2ea3e7648883ef3186820

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e763f111aa7ded633aa87def18468e56

SHA1
44a4aac489c7025cf8f928870b736bc706f10e34

SHA256
d22a19dc8b570faea666095cc4b5f64f382ddf8b0db51c65df2a5d1de87d59d5

SHA512
7846b6101dbe64ca05e3a72a283d69a2b08c26626d367f6723d3f12b8bb4f57a5312ae0393a9daecb8f81eaf4840711f34bbcd140f29c1fc16f54ce2631ddb61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8046f50a1186add9e6dc033cf27f982

SHA1
b951cd18e77a328b90cbb326c7679416308e237c

SHA256
d7ac4bc03b0ab04efc9021ff4d73fea1a6831d6cdd32b9239b904ec8262e3345

SHA512
ddbc2d349271eb10cb1515c8e9b2bec21ccd3b0c358de9bd5d73985d8de481ccbc7ef6199ca1ec2cd5eee09fd04b485dd3ad64ed4fa65866b0b97402d417fd83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
693fb5a91e540ed7fa45a73511fcd8b9

SHA1
b714878ac2a861327f2b9d7b705adc7dd2022d76

SHA256
d6715e88f352db3d853e0bb4ec724c48b01111ec1268ce07ce0d20ee0590d7d0

SHA512
c84e8d7f5b20c5af0ae4a58d86cb8d01a1fe7e08367e3fff3e611837015e146a1496a897be8b2c95831ffb0959d621effcea909064010eb92d7d13776e7b9ce2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
47ef9eb2fb9f7aff43223624fc51874c

SHA1
b7dd99a470f4c87515aa08360da900b42f6c3e27

SHA256
f207ff07da1ee27044003a64f4b7945ef98934a5df590e8bfb28aae1a59917bf

SHA512
53860b675533a185f0f605b80abc802286772108b8d520beb6d3958bf896d9dae9b3dd8f091b7a854d844d8a094f9cbed692fc49903f5382d4cd8ca4775bd9a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\0qn8gcy\imagestore.dat

Filesize
8KB

MD5
8095f1253415256496258c901124be86

SHA1
591991407bff6d2dc4e9212d28aa90b49c3fe21b

SHA256
5d0b3f86489cdc2553c7bb8a2ba15584f60192f3ac098c728f43e1bcb27d0c6e

SHA512
568fc116f2adbff36b2941f281cd545a7a47df4f703be09740fe760a3d829b6c954fb851b2a74e83d0ec649e108a53cf01aeb6ef66689896bdc904f4bc208480

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\favicon-196x196.59e3822720be[1].png

Filesize
7KB

MD5
59e3822720bedcc45ca5e6e6d3220ea9

SHA1
8daf0eb5833154557561c419b5e44bbc6dcc70ee

SHA256
1d58e7af9c848ae3ae30c795a16732d6ebc72d216a8e63078cf4efde4beb3805

SHA512
5bacb3be51244e724295e58314392a8111e9cab064c59f477b37b50d9b2a2ea5f4277700d493e031e60311ef0157bbd1eb2008d88ea22d880e5612cfd085da6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEAC4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEB83.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst9ACA.tmp\InetBgDL.dll

Filesize
7KB

MD5
d4f7b4f9c296308e03a55cb0896a92fc

SHA1
63065bed300926a5b39eabf6efdf9296ed46e0cc

SHA256
6b553f94ac133d8e70fac0fcaa01217fae24f85d134d3964c1beea278191cf83

SHA512
d4acc719ae29c53845ccf4778e1d7ed67f30358af30545fc744facdb9f4e3b05d8cb7dc5e72c93895259e9882471c056395ab2e6f238310841b767d6acbcd6c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst9ACA.tmp\WebBrowser.dll

Filesize
93KB

MD5
dfe24aa39f009e9d98b20b7c9cc070b1

SHA1
f48e4923c95466f689e8c5408265b52437ed2701

SHA256
8ec65a3d8ae8a290a6066773e49387fd368f5697392dfb58eac1b63640e30444

SHA512
665ce32d3776b1b41f95ed685054a796d0c1938dbc237619fa6309d1b52ae3bd44e3cf0a1f53ebf88556f7603111cca6dff1bfc917a911e0a9ce04affd0d5261

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst9ACA.tmp\config.ini

Filesize
187B

MD5
ed23468cb20f1f37a967eb26f639faef

SHA1
5707e3d394b6a3e36e8b1e23317ec115bafa1e9c

SHA256
812217f840657b7d310c406d7224eb1c339079ad48541d922e3f15f1b2e3d913

SHA512
9a7d3073b2d7d234eee56464df7b58be4466171c3cad47ebf0d4742c0ed05555ac890a18991ef59bf8b0751a207ea04f86a728fe3b0cb19607b9f6e4f45e76f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst9ACA.tmp\installing.html

Filesize
1KB

MD5
32de55f44c497811dd7ed7f227f5c28d

SHA1
c111be08e7f3d268e7a2ed160d0c30833f25ae4a

SHA256
6259f3a41a703f13466503e6fbd37ca40e94f565a2f4b4087fbcd87a13bf3ee1

SHA512
48bb6f24b3ee2f4b7052205a3843ea34f917ee192b70261d2438c037b0e17d48bce8beb4c31be4141e9618922a45b6b47745b797e5618f18fe00bfc1625309ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst9ACA.tmp\installing.js

Filesize
2KB

MD5
dfa7861bca754036ab853b3bb02b194d

SHA1
46d7c5ba614b39caa4857fcba4bdedbabb2c67c0

SHA256
2c286b6eefd38f032a385f3ac6a1f794deab3bac0fbff71bd0ba21453f477878

SHA512
c58d96fb2496a84261a5e4b18cf4156a30f9ad161bbabc3652b6b5c24976f1ac432dced31927a9443260cdca0292524d1f691766b7c0731f926d37be11fe0c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst9ACA.tmp\stub_common.js

Filesize
817B

MD5
58b8ac894c64370cfa137f5848aeb88d

SHA1
6a1ac1f88a918a232b79fe798b2de69cf433945f

SHA256
0e28aa770b0afade30be85c6dc1e50344db8f8cdd3fa01989d81a9e20a4990bd

SHA512
ae309518e0f926021e4d9378950c1a375263247d4f79d8a8cc09464cd01653ae5e707d52a4b0c36d532e649c246f4be6b5ba8648f58fb0e3e40c495ae63180ab

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC32BCDC6\setup.exe

Filesize
936KB

MD5
6e3a28d05ee41af8249955a225c10d56

SHA1
9c76a6a650644800724326d0114e6e2603a09bcd

SHA256
358a7531ad0ba8da5b81df5e9a4188a4c5ab3cc7b9aebf2aa89e44f1487a1278

SHA512
7479daf7bf66196768bad1597454732c109b8df3b2a83e0da6315b4b2028fb2011befd6abc7dc3ebf8b245993c794df161594047243142e3dfca56cb1032eea5

Download Submit
\Users\Admin\AppData\Local\Temp\7zSCA5D9A86\setup-stub.exe

Filesize
464KB

MD5
32b1aed8cda8677b31c3cec33b982462

SHA1
5966299d342e5c0a123551c49f97324494cd48ea

SHA256
d7840eea40a5a88af824f24473e95d0227e69c4439d6ea791d50cb94bf0cfb2a

SHA512
b9b33072350eff2f90e8e5bb84af9c78592c39bebeb8abc5775eb4f2cf87de2873e42d2ed3124772ead4b18a5618bf4a519bf334de0d07f2e87f5862c55454c7

Download Submit
\Users\Admin\AppData\Local\Temp\nseFA67.tmp\System.dll

Filesize
22KB

MD5
b361682fa5e6a1906e754cfa08aa8d90

SHA1
c6701aee0c866565de1b7c1f81fd88da56b395d3

SHA256
b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04

SHA512
2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

Download Submit
\Users\Admin\AppData\Local\Temp\nst9ACA.tmp\CertCheck.dll

Filesize
5KB

MD5
2979f933cbbac19cfe35b1fa02cc95a4

SHA1
4f208c9c12199491d7ba3c1ee640fca615e11e92

SHA256
bcb6572fcb846d5b4459459a2ef9bde97628782b983eb23fadacbaec76528e6f

SHA512
61f07c54e0aaa59e23e244f3a7fd5e6a6c6a00730d55add8af338e33431ed166d156a66455a4f9321cafbce297e770abc1cb65f7410923cb2b5e5067d1768096

Download Submit
\Users\Admin\AppData\Local\Temp\nst9ACA.tmp\CityHash.dll

Filesize
43KB

MD5
737379945745bb94f8a0dadcc18cad8d

SHA1
6a1f497b4dc007f5935b66ec83b00e5a394332c6

SHA256
d3d7b3d7a7941d66c7f75257be90b12ac76f787af42cd58f019ce0280972598a

SHA512
c4a43b3ca42483cbd117758791d4333ddf38fa45eb3377f7b71ce74ec6e4d8b5ef2bfbe48c249d4eaf57ab929f4301138e53c79e0fa4be94dcbcd69c8046bc22

Download Submit
\Users\Admin\AppData\Local\Temp\nst9ACA.tmp\System.dll

Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nst9ACA.tmp\UAC.dll

Filesize
18KB

MD5
113c5f02686d865bc9e8332350274fd1

SHA1
4fa4414666f8091e327adb4d81a98a0d6e2e254a

SHA256
0d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d

SHA512
e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284

Download Submit
\Users\Admin\AppData\Local\Temp\nst9ACA.tmp\UserInfo.dll

Filesize
4KB

MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
memory/572-351-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1452-101-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1452-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3004-33-0x0000000000730000-0x000000000073F000-memory.dmp

Filesize
60KB

Download
memory/3004-144-0x00000000054D0000-0x0000000005516000-memory.dmp

Filesize
280KB

Download
memory/3004-479-0x00000000054D0000-0x0000000005516000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads