sodinokibi | 06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851

General

Target

06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
Sample

191210-7p5x2e28ws
SHA256

06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851

Score

10^/10

ransomware evasion spyware trojan sodinokibi

Malware Config

Extracted

Path

C:\5k85943-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 5k85943. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/041FB4C15C08312C 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/041FB4C15C08312C Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: JYo1JzzkLBzMOHESIBzmwJ0mkP6J+kCQpZowiN/Vdeec3sPSXKV1IoD+d/N/OpgC HZGsNt5ST+GcdKsVJYM2n7BSqtan8+BslptO4mZNeK/dHXP9thxuDmQT2JbQ5x0e dK3Tz67MjPuzJzhdz+1zNm6Zr3gmFagpGNUTK6sOYOhwnOVDly85zrT6Og9Ahtuo fQS9Pqm9dxp0tV4rMvXJfiV+t5BvN58/5bwNq2d+tBQFOo4401FfHeIoyjBpk7qQ sU6BAlw2AoRsFZcYtq02jeB/5ef6dMj7tFqBGmtsG52570ceVck+auubgTrFuI2z StJrqV2deFwrFm4+khvPWihmiZaXcKmCRrcFTWeNVnLMEp0xFwWiR/EM5ijFHT7Y YxKZAgu+w6tMoHtzuNNELlA2SbFeVdLCdl2xMiPF1THlvPoC9GkA5jhPYYNWhAIE iIxAdH2HCbR/TIiDdmyqJuYMLPngW/nbavMat5PuYRIDlRksNJUg07+oenIHsz3G 1AMMfquyA0NvuV65d3MGd5jZhmuy+LiDDpvOjPQ2Y5clPQ75qrk/iasJR0Xqa99u DJ659502SMbo5Z8YiBOfEDfTnB6p692ThyySJdkJ+Z+AMtkcnckASGbtDp9AwHhM 3p8rPZG/SjnfmsOJiCaaoBOw2tRdhRqyps0uvFvS8BcOTw6drl37lr9iPK6ddVCJ ioqtrqPDM2fVjceUTnj57jYM8bCCYyfw8FEPA6POvzfCMxl3ih7G9zDM25qIAizt 6xL+ikQ/WH4sYLVJ3zLgfQZS3LPjvZxhNHEtLmwftkTM9qyw9U3Gp8KvQEtf0Tuv 2LRVwCugat+hyzfpx6IBg4b8vjVl1Atky7B6MApMCQv07b9zK9g+bH7XTGGD1bMD fe0kPp+iZIKNcMcwJMAttXer1q8l1NuDuZVHeon32lMWoj4/x2ew5Tvp8cckILo6 /Ku65KxYgUy1PnupOZmk7WIFwrovv8zaufu2ema6HwC/4CL1k37QjktX7aeth76Y lSvJtNYckXattKAQQxDB7nje6fqEP0vdLzOsfh2JdbsPJiCHyO+cDvZkAat3PlyU jdHWFepnfY2eU3YJE1fg6D3Ijpoh2KY7xOQD1OhgbtO1+H1CaQTo5O0vADcDuCQQ INjsbF6hzZXdyw== Extension name: 5k85943 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/041FB4C15C08312C

http://decryptor.top/041FB4C15C08312C

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe

pid process

2044 06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2004 vssvc.exe
Token: SeRestorePrivilege 2004 vssvc.exe
Token: SeAuditPrivilege 2004 vssvc.exe
Deletes shadow copies 2 TTPs 1 IoCs
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1428 vssadmin.exe
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

pid	process
2044	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe

description	pid	process
Token: SeBackupPrivilege	2004	vssvc.exe
Token: SeRestorePrivilege	2004	vssvc.exe
Token: SeAuditPrivilege	2004	vssvc.exe

pid	process
1428	vssadmin.exe

Drops file in Windows directory 3276 IoCs

Processes:

06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-t..-platform-libraries_31bf3856ad364e35_6.1.7601.17514_none_4896f054b1edb553_iphlpapi.dll_7ae3573f	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ck-legacy.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a7b0ad52b3bcfdb6_wsock32.dll.mui_18b23987	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.17514_none_b57215bac8c6d647_appidcertstorecheck.exe_03352f5f	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_hu-hu_330f86d55de64a40_comdlg32.dll.mui_ac8e62f4	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_6.1.7600.16385_none_63dee2821fc69fce_bridgeres.dll_55e40455	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..ng-spooler-splwow64_31bf3856ad364e35_6.1.7601.17514_none_25d05769a8973724_splwow64.exe_74753166	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_en-us_18f35f70f89526d1_dnsapi.dll.mui_97465f8a	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-halftone-ui_31bf3856ad364e35_6.1.7600.16385_none_36d50a68b4cdc1cd.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_networking-mpssvc-svc_31bf3856ad364e35_6.1.7601.17514_none_f83a40e7de7c47da_mpssvc.mof_662b1c14	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mpr_31bf3856ad364e35_6.1.7600.16385_none_09cabb1971a25848.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2ee797247339fb7c_printui.exe.mui_5e66aade	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.1.7600.16385_none_cd7aeeff1897d018_cntrtextmig.dll_08675f2d	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_ko-kr_1b56589636443993_comdlg32.dll.mui_ac8e62f4	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..e-microsoftjhenghei_31bf3856ad364e35_6.1.7600.16385_none_c135aa29f9c5f8da.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..itmap-ms_sans_serif_31bf3856ad364e35_6.1.7600.16385_none_ac9f9e10add68c8b_sserifft.fon_12f4f3b9	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-small_31bf3856ad364e35_6.1.7600.16385_none_d7839341959a2de0_smallfr.fon_f438f7ee	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..endencies.resources_31bf3856ad364e35_6.1.7600.16385_en-us_06b4240709238ea6.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-932_31bf3856ad364e35_6.1.7600.16385_none_2ad03056b4ecc39f_c_932.nls_bb04d917	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-qos_31bf3856ad364e35_6.1.7601.17514_none_0c716dff6e442c24_traffic.dll_673bed71	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76_symbols.xml_96f37034	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cf00a033363ace4b.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-usp_31bf3856ad364e35_6.1.7601.17514_none_0b207e7d6f1bea6f.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-webservices.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6aac11498ff0f4ac_webservices.dll.mui_eecc809d	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..rcluster-clientcore_31bf3856ad364e35_6.1.7601.17514_none_ef6d8ddb4eff2674_clusapi.dll_06332635	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-vani_31bf3856ad364e35_6.1.7601.17514_none_5a885c9b0fafaf30_vani.ttf_cae9a052	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-gdi-painting_31bf3856ad364e35_6.1.7600.16385_none_d360c9c235bd1868_msimg32.dll_2a4e0bd8	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mpr.resources_31bf3856ad364e35_6.1.7600.16385_en-us_167a7fa34db11fe9.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_sk-sk_3165765b03216fd8_msimsg.dll.mui_72e8994f	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7871ea5b49da50fd.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_6.1.7600.16385_none_db04d3f548508fd9_vgaf1257.fon_9bd8a67a	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-htmlhelp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1143384e9ab8e550_hhctrl.ocx.mui_632bdfc0	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-riched32_31bf3856ad364e35_6.1.7601.17514_none_9f081dc1e0ddbddb_riched20.dll_fb578f95	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-smartcardksp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_63097ee7553ecff7.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-tcpip_31bf3856ad364e35_6.1.7601.17514_none_bfab9b4ba5f934f9_netiomig.dll_917b9a36	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_en-us_02e9e13998201d43.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_cs-cz_05d30e9dd60825a9.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-com-base_31bf3856ad364e35_6.1.7600.16385_none_69e3281e403684ea_oleres.dll_2eae8210	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_uk-ua_e8c7e489ddaf3a0c.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17514_none_07f91de77125e78d_lpk.dll_ebdc1de9	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-msxml30_31bf3856ad364e35_6.1.7601.17514_none_e6944609ad75ac7d.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-msvcrt_31bf3856ad364e35_6.1.7600.16385_none_d12b8c440039b31e_msvcrt.dll_ee71f3d5	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-sechost_31bf3856ad364e35_6.1.7600.16385_none_879933012e49cc30_sechost.dll_a7bf8aa9	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-t..-msctfime.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4883f5b3beee107a.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-imagesp1.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a3883b23cca467b5_imagesp1.dll.mui_14e4c892	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-csrsrv_31bf3856ad364e35_6.1.7600.16385_none_257c28acbf0ea870_csrsrv.dll_f50da7f9	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3d8bb37f97ba22ff_sdbinst.exe_8725e339	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_6.1.7601.17514_none_42ee5aff60183c81_iscsicli.exe_20e14d4f	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-w..nfrastructure-other_31bf3856ad364e35_6.1.7600.16385_none_6ace9e67456cc40b_ws2help.dll_2dd5d345	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..oexistencemigration_31bf3856ad364e35_6.1.7601.17514_none_7009184192f9f5e7_iphlpsvcmigplugin.dll_b4697821	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-msasn1_31bf3856ad364e35_6.1.7601.17514_none_25801b39bc00ed6c_msasn1.dll_e56dbc57	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..onmanager.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5a20b74a645757f9_partmgr.sys.mui_b800c491	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_6.1.7601.17514_none_16795c7543eb48cf.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_tr-tr_4ce801e2e67e13c0_comctl32.dll.mui_0da4e682	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..-truetype-cordianew_31bf3856ad364e35_6.1.7600.16385_none_de85488c0241f96e.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_cga40866.fon_2c80a06e	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_ee690d31c664eee4.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_uk-ua_1706c73dfc4b3026_comdlg32.dll.mui_ac8e62f4	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-cryptdll-dll_31bf3856ad364e35_6.1.7600.16385_none_0574dc0a0f190696_cryptdll.dll_e0da7eac	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..ional-codepage-1257_31bf3856ad364e35_6.1.7600.16385_none_2429c9016a32af3a_c_1257.nls_7347e598	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6a372375d8b5ccfd.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase-ndiswan_31bf3856ad364e35_6.1.7601.17514_none_515e96306dea528f_ndiswan.sys_4be8047f	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rpc-kernel_31bf3856ad364e35_6.1.7601.17514_none_1d32894498861e30.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_networking-mpssvc-svc_31bf3856ad364e35_6.1.7601.17514_none_f83a40e7de7c47da.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

description	ioc
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\k9b1woz.bmp"

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality
ransomware sodinokibi

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.execmd.exe

description	pid	process	target process
PID 2044 wrote to memory of 1096	2044	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe	cmd.exe
PID 1096 wrote to memory of 1428	1096	cmd.exe	vssadmin.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

conhost.exe

pid process

1076 conhost.exe

pid	process
1076	conhost.exe

Discovering connected drives 3 TTPs 5 IoCs

ransomware

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe

description	ioc	process
File opened (read-only)	\??\A:	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened (read-only)	\??\B:	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened (read-only)	\??\C:	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened (read-only)	\??\E:	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened (read-only)	\??\F:	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe

Drops file in Program Files directory 38 IoCs

Processes:

06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe

description	ioc	process
File opened for modification	\??\c:\program files\UseSkip.xps	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File created	\??\c:\program files\5k85943-readme.txt	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	\??\c:\program files\DebugRevoke.txt	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File renamed	C:\Program Files\ConfirmUpdate.mpeg2 => \??\c:\program files\ConfirmUpdate.mpeg2.5k85943	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\d60dff40.lock	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File created	\??\c:\program files\d60dff40.lock	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File renamed	C:\Program Files\ConvertFromGet.xla => \??\c:\program files\ConvertFromGet.xla.5k85943	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	\??\c:\program files\UnprotectWait.html	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File renamed	C:\Program Files\UnregisterEnable.ods => \??\c:\program files\UnregisterEnable.ods.5k85943	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\desktop\5k85943-readme.txt	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	\??\c:\program files\PublishCopy.ppt	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	\??\c:\program files\PushFormat.jpe	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\5k85943-readme.txt	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	\??\c:\program files\UnregisterEnable.ods	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File renamed	C:\Program Files\RegisterJoin.vsd => \??\c:\program files\RegisterJoin.vsd.5k85943	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File renamed	C:\Program Files\WaitDebug.mhtml => \??\c:\program files\WaitDebug.mhtml.5k85943	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\desktop\d60dff40.lock	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	\??\c:\program files\JoinMove.vbs	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File renamed	C:\Program Files\ImportLimit.rm => \??\c:\program files\ImportLimit.rm.5k85943	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File created	\??\c:\program files\microsoft sql server compact edition\5k85943-readme.txt	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File created	\??\c:\program files (x86)\d60dff40.lock	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	\??\c:\program files\RegisterJoin.vsd	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	\??\c:\program files\WaitDebug.mhtml	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File renamed	C:\Program Files\JoinMove.vbs => \??\c:\program files\JoinMove.vbs.5k85943	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File renamed	C:\Program Files\StepConnect.temp => \??\c:\program files\StepConnect.temp.5k85943	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File renamed	C:\Program Files\UseSkip.xps => \??\c:\program files\UseSkip.xps.5k85943	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File created	\??\c:\program files (x86)\5k85943-readme.txt	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	\??\c:\program files\ConfirmUpdate.mpeg2	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	\??\c:\program files\ConvertFromGet.xla	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File renamed	C:\Program Files\UnprotectWait.html => \??\c:\program files\UnprotectWait.html.5k85943	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File renamed	C:\Program Files\PushFormat.jpe => \??\c:\program files\PushFormat.jpe.5k85943	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File renamed	C:\Program Files\PublishCopy.ppt => \??\c:\program files\PublishCopy.ppt.5k85943	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	\??\c:\program files\ImportLimit.rm	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	\??\c:\program files\StepConnect.temp	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File renamed	C:\Program Files\MountBlock.xltx => \??\c:\program files\MountBlock.xltx.5k85943	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File renamed	C:\Program Files\DebugRevoke.txt => \??\c:\program files\DebugRevoke.txt.5k85943	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File created	\??\c:\program files\microsoft sql server compact edition\d60dff40.lock	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	\??\c:\program files\MountBlock.xltx	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

description	ioc
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c06200000001000000200000004348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c7016114000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080b000000010000003000000044006900670069004300650072007400200047006c006f00620061006c00200052006f006f00740020004700320000005300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0620000000100000020000000cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f391d00000001000000100000007dc30bc974695560a2f0090a6545556c030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b80f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080b000000010000003000000044006900670069004300650072007400200047006c006f00620061006c00200052006f006f00740020004700320000005300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0620000000100000020000000cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f391d00000001000000100000007dc30bc974695560a2f0090a6545556c030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200310000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c995300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c06200000001000000200000004348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c7016114000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54362000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde
Set value (data)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\SystemCertificates\CA\Certificates\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0\Blob = 030000000100000014000000f5ad0bcc1ad56cd150725b1c866c30ad92ef21b0140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d40400000001000000100000001edaf9ae99ce2920667d0e9a8b3f8c9c0f00000001000000300000007ce102d63c57cb48f80a65d1a5e9b350a7a618482aa5a36775323ca933ddfcb00def83796a6340dec5ebf7596cfd8e5d19000000010000001000000082218ffb91733e64136be5719f57c3a118000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c200000000100000078050000308205743082045ca00302010202102766ee56eb49f38eabd770a2fc84de22300d06092a864886f70d01010c0500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f43081f1301f0603551d23041830168014adbd987a34b426f7fac42654ef03bde024cb541a301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030440603551d1f043d303b3039a037a0358633687474703a2f2f63726c2e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e63726c303506082b0601050507010104293027302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038201010064bf83f15f9a85d0cdb8a129570de85af7d1e93ef276046ef15270bb1e3cff4d0d746acc818225d3c3a02a5d4cf5ba8ba16dc4540975c7e3270e5d847937401377f5b4ac1cd03bab1712d6ef34187e2be979d3ab57450caf28fad0dbe5509588bbdf8557697d92d852ca7381bf1cf3e6b86e661105b31e942d7f91959259f14ccea391714c7c470c3b0b19f6a1b16c863e5caac42e82cbf90796ba484d90f294c8a973a2eb067b239ddea2f34d559f7a6145981868c75e406b23f5797aef8cb56b8bb76f46f47bf13d4b04d89380595ae041241db28f15605847dbef6e46fd15f5d95f9ab3dbd8b8e440b3cd9739ae85bb1d8ebcdc879bd1a6eff13b6f10386f
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b0601050507030406082b0601050507030106082b0601050507030206082b06010505070308060a2b0601040182370a0304060a2b0601040182370a030c6200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030753000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d5503000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b688518681d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b060105050703070f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030753000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d5503000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 1900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd90b000000010000001200000044006900670069004300650072007400000014000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1556200000001000000200000004348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c701615300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde

C:\Users\Admin\AppData\Local\Temp\06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
"C:\Users\Admin\AppData\Local\Temp\06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- Discovering connected drives
- Drops file in Program Files directory
PID:2044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Deletes shadow copies
PID:1428

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13736575861871489881-16881607701145638119-1445741727-334327988-15014401241888056553"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1076