sodinokibi | 06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851

General

Target

06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
Sample

191216-4zdx1n374x
SHA256

06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851

Score

10^/10

ransomware evasion spyware trojan sodinokibi

Malware Config

Extracted

Path

C:\05vb6je9-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 05vb6je9. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/566484711914F5F1 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/566484711914F5F1 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: rxaK53ALfFGy4622EI7nauMFpFvcU1PxDem3WfU4QyAJmXwkVspAsecIliVlENVp ifrBlPOSfnI1YRS3ax8jcweiLJrpA4g5HCKC+hyd2P485bMkPzI0O+AcQl8lbJda NNO8Xdh5XCZ/Dd/w6r7CHOgs13AD2YmxTn/dCR5huuXX7msfVT9nHqZg0HH4faS7 XSyPg+IQXQsci5jfAOLTvx4OZ3rdQWYC/sEvJM2dxW7Y1eQozPQfU22fw2CrBf+i K20DunLT+L8SH82Wa4r/SMb7R/b10ha/zoEIu3I0jn9oEc9Jp+VrXn4B7rpuGkOU 8QzXUMZhrhgydgkxGFSNGCTcGmgKYio+2Qhc5zEpfzD3X3aMR0wKIlxwVpHjhMCQ kkEcQM2Etri2wz03mKU0gI+TGpo12E0Rvv4xT/VjK6nBMgNfD+GM6zTYfjMqTSxy cJfu7aW1ctfR2e5VFDppYqHKc98K/LHHIi834pSjEBpAT63HiWLBw3Yc/AtPm2Pb FYPrOIKxvEauTwVfnIFo/hXB/Hmm9Wh8tK/trgQ9entkLyA4a5+T5Wn8n3zWndQI mUTD2pXx4VOG7WfKDZhmEBhuQRnc+Ekh6xTYkCekYn2HGCN/Dvf2uiRdXfX/m2Er jzjcwj9ZRYFBeWDXc3R2b+8P0bqRpjuB2jsgbkC6WfrRVwLlJ7sUtUnuqnpbghl4 Zn6Cv6T0y55vm1HDhBKOcISF8H4oA9XYnFYH8ZxOqt9rKy4q+8Rq5a+Lubbq1aJ8 F6NEjxl2yoL5cp1vXT3+5NEQOoydzweabnZ65PwNFHXw7jRw6jCByoMkh2wgavAN uff56lUgaCvLoR6bzKcLRLcQMs3TfPTZxkY6SXSRL7G9Xtt2gmInVoAiD3XOVIkY +CXOdZQbDlCvmpEu7gqRHX4gpUQrEVMJzGChTXxxz7HAAKK1R7Ol5ajUiaUMUIL6 WIbmmIYP6uwM2Eb1JX18y7mgdJwoCWT0I5Loq6XzgF8PBNpjS76dpZI20CBOXLVg dv15ir6+UvG/39aItCb0BEDQ+UpaTIboQqecYe9oo6OYoTbezd5/gtEMLWHsf/xG Fw6x63qzop68tsJrPO7xgeZL2I89XvAK+FuRkBo9QlXpDniEvcPceVh8qw6BSg+Y zsscBy8PDwWG+NAm Extension name: 05vb6je9 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/566484711914F5F1

http://decryptor.top/566484711914F5F1

Signatures

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.execmd.exe

description	pid	process	target process
PID 1440 wrote to memory of 1132	1440	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe	cmd.exe
PID 1132 wrote to memory of 2024	1132	cmd.exe	vssadmin.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

conhost.exe

pid process

1108 conhost.exe

pid	process
1108	conhost.exe

Drops file in Program Files directory 38 IoCs

Processes:

06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe

description	ioc	process
File opened for modification	\??\c:\program files\UseSkip.xps	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File renamed	C:\Program Files\MountBlock.xltx => \??\c:\program files\MountBlock.xltx.05vb6je9	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\d60dff40.lock	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	\??\c:\program files\ImportLimit.rm	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	\??\c:\program files\UnprotectWait.html	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File renamed	C:\Program Files\ConfirmUpdate.mpeg2 => \??\c:\program files\ConfirmUpdate.mpeg2.05vb6je9	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File renamed	C:\Program Files\StepConnect.temp => \??\c:\program files\StepConnect.temp.05vb6je9	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File renamed	C:\Program Files\PushFormat.jpe => \??\c:\program files\PushFormat.jpe.05vb6je9	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\desktop\05vb6je9-readme.txt	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	\??\c:\program files\JoinMove.vbs	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File renamed	C:\Program Files\WaitDebug.mhtml => \??\c:\program files\WaitDebug.mhtml.05vb6je9	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	\??\c:\program files\StepConnect.temp	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	\??\c:\program files\WaitDebug.mhtml	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	\??\c:\program files\ConvertFromGet.xla	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File created	\??\c:\program files\d60dff40.lock	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File renamed	C:\Program Files\ConvertFromGet.xla => \??\c:\program files\ConvertFromGet.xla.05vb6je9	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File renamed	C:\Program Files\RegisterJoin.vsd => \??\c:\program files\RegisterJoin.vsd.05vb6je9	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File renamed	C:\Program Files\UnregisterEnable.ods => \??\c:\program files\UnregisterEnable.ods.05vb6je9	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\desktop\d60dff40.lock	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File created	\??\c:\program files\05vb6je9-readme.txt	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	\??\c:\program files\UnregisterEnable.ods	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File renamed	C:\Program Files\PublishCopy.ppt => \??\c:\program files\PublishCopy.ppt.05vb6je9	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File renamed	C:\Program Files\UseSkip.xps => \??\c:\program files\UseSkip.xps.05vb6je9	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\05vb6je9-readme.txt	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	\??\c:\program files\ConfirmUpdate.mpeg2	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File created	\??\c:\program files\microsoft sql server compact edition\d60dff40.lock	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	\??\c:\program files\PublishCopy.ppt	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	\??\c:\program files\RegisterJoin.vsd	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File renamed	C:\Program Files\DebugRevoke.txt => \??\c:\program files\DebugRevoke.txt.05vb6je9	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File created	\??\c:\program files (x86)\05vb6je9-readme.txt	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	\??\c:\program files\DebugRevoke.txt	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File created	\??\c:\program files\microsoft sql server compact edition\05vb6je9-readme.txt	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	\??\c:\program files\MountBlock.xltx	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	\??\c:\program files\PushFormat.jpe	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File renamed	C:\Program Files\ImportLimit.rm => \??\c:\program files\ImportLimit.rm.05vb6je9	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File renamed	C:\Program Files\UnprotectWait.html => \??\c:\program files\UnprotectWait.html.05vb6je9	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File renamed	C:\Program Files\JoinMove.vbs => \??\c:\program files\JoinMove.vbs.05vb6je9	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File created	\??\c:\program files (x86)\d60dff40.lock	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

description	ioc
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c06200000001000000200000004348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c7016114000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde
Set value (data)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\SystemCertificates\CA\Certificates\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0\Blob = 030000000100000014000000f5ad0bcc1ad56cd150725b1c866c30ad92ef21b0140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d40400000001000000100000001edaf9ae99ce2920667d0e9a8b3f8c9c0f00000001000000300000007ce102d63c57cb48f80a65d1a5e9b350a7a618482aa5a36775323ca933ddfcb00def83796a6340dec5ebf7596cfd8e5d19000000010000001000000082218ffb91733e64136be5719f57c3a118000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c200000000100000078050000308205743082045ca00302010202102766ee56eb49f38eabd770a2fc84de22300d06092a864886f70d01010c0500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f43081f1301f0603551d23041830168014adbd987a34b426f7fac42654ef03bde024cb541a301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030440603551d1f043d303b3039a037a0358633687474703a2f2f63726c2e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e63726c303506082b0601050507010104293027302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038201010064bf83f15f9a85d0cdb8a129570de85af7d1e93ef276046ef15270bb1e3cff4d0d746acc818225d3c3a02a5d4cf5ba8ba16dc4540975c7e3270e5d847937401377f5b4ac1cd03bab1712d6ef34187e2be979d3ab57450caf28fad0dbe5509588bbdf8557697d92d852ca7381bf1cf3e6b86e661105b31e942d7f91959259f14ccea391714c7c470c3b0b19f6a1b16c863e5caac42e82cbf90796ba484d90f294c8a973a2eb067b239ddea2f34d559f7a6145981868c75e406b23f5797aef8cb56b8bb76f46f47bf13d4b04d89380595ae041241db28f15605847dbef6e46fd15f5d95f9ab3dbd8b8e440b3cd9739ae85bb1d8ebcdc879bd1a6eff13b6f10386f
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c995300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b688518681d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b060105050703070f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c06200000001000000200000004348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c7016114000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54362000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 1900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd90b000000010000001200000044006900670069004300650072007400000014000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1556200000001000000200000004348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c701615300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030753000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d5503000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030753000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d5503000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b0601050507030406082b0601050507030106082b0601050507030206082b06010505070308060a2b0601040182370a0304060a2b0601040182370a030c6200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080b000000010000003000000044006900670069004300650072007400200047006c006f00620061006c00200052006f006f00740020004700320000005300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0620000000100000020000000cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f391d00000001000000100000007dc30bc974695560a2f0090a6545556c030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b80f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080b000000010000003000000044006900670069004300650072007400200047006c006f00620061006c00200052006f006f00740020004700320000005300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0620000000100000020000000cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f391d00000001000000100000007dc30bc974695560a2f0090a6545556c030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200310000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality
ransomware sodinokibi

Discovering connected drives 3 TTPs 5 IoCs

ransomware

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe

description	ioc	process
File opened (read-only)	\??\F:	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened (read-only)	\??\C:	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened (read-only)	\??\A:	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened (read-only)	\??\B:	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened (read-only)	\??\E:	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe

Drops file in Windows directory 3276 IoCs

Processes:

06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-msvcp60_31bf3856ad364e35_6.1.7600.16385_none_4277eab412b31810.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_he-il_c8da0f0005e7bf7a.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rdbss_31bf3856ad364e35_6.1.7601.17514_none_b7fadd3b7808f9d5.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c655bef991133e33_setupapi.dll.mui_bcc172a4	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_3eceef6140ec9728.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..ional-codepage-1253_31bf3856ad364e35_6.1.7600.16385_none_7e8247cd23b40e54.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_ar-sa_4d97f0fb677d2ca5.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-htmlhelp_31bf3856ad364e35_6.1.7600.16385_none_2e9f92abd2ce43b6_hhctrl.ocx_38c869db	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-x..nrollment.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4d5cf87622ff6ea7_certenroll.dll.mui_a77d5a29	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-sens-client_31bf3856ad364e35_6.1.7600.16385_none_011904ea1e74d196_sensapi.dll_9e623aad	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasbase_31bf3856ad364e35_6.1.7601.17514_none_765b17a2c56f9155_ndptsp.tsp_2d5533f8	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-sendmail_31bf3856ad364e35_6.1.7600.16385_none_c133165a6a14f67f_sendmail.dll_a8a54aff	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_sv-se_6b34fb20bc504b51_mlang.dll.mui_2904864a	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-ntlanman_31bf3856ad364e35_6.1.7601.17514_none_32187fb040e2395a_ntlanman.dll_0a73d68d	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-syssetup_31bf3856ad364e35_6.1.7601.17514_none_d94b3b8ee2b71796.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-duser_31bf3856ad364e35_6.1.7600.16385_none_5a4b046c5dce176a_duser.dll_a2bd2fa9	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-rpc-local.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9b91f4c11edec673.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-feclient_31bf3856ad364e35_6.1.7600.16385_none_1acf02d27145db87_feclient-ppdlic.xrm-ms_690f532f	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_6.1.7600.16385_none_59590e92c817a4e0_vga949.fon_0fa0b40b	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..ional-codepage-1256_31bf3856ad364e35_6.1.7600.16385_none_7fd6dd5722d91be9_c_1256.nls_72f6d1a9	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_it-it_6ee25da4f6aaa40a.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-unimodem-voice_31bf3856ad364e35_6.1.7600.16385_none_44610425b014c1b0.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_tr-tr_4ce801e2e67e13c0.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17514_none_04709031736ac277_ksecdd.sys_dfd5d421	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_sk-sk_4adc36503d558868.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mscat32-dll_31bf3856ad364e35_6.1.7600.16385_none_80ba6a1a80d90497_mscat32.dll_1fcb31df	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_pl-pl_4871a5da2b2cebc2_msimsg.dll.mui_72e8994f	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-pshed.resources_31bf3856ad364e35_6.1.7600.16385_en-us_936a9abfda77f602.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_cga80866.fon_2e78de72	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-ndis_31bf3856ad364e35_6.1.7601.17514_none_05ed313632ae9759_ndistrace.mof_39e216d3	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-usp_31bf3856ad364e35_6.1.7601.17514_none_0b207e7d6f1bea6f_usp10.dll_8785b649	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-d..vices-sam.resources_31bf3856ad364e35_6.1.7600.16385_en-us_14569492a0cb0c5e.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-profsvc_31bf3856ad364e35_6.1.7601.17514_none_59d75cdc494c95ea_userprofilewmiprovider.mof_b1cb7e72	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-standardvga_31bf3856ad364e35_6.1.7600.16385_none_f881232cf3b0c322.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-vssapi_31bf3856ad364e35_6.1.7601.17514_none_330ce3bf9861358f_vssapi.dll_51f72c64	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-vgaoem_31bf3856ad364e35_6.1.7600.16385_none_73966d7b932081de.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17727_none_6e30004a126a8db7.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-spp-main_31bf3856ad364e35_6.1.7601.17514_none_e64e60ad0b1ee918_spp.dll_d7bb2b05	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.1.7601.17514_none_b995c74af473511b.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_es-es_ecc8f50ace56f38c_comdlg32.dll.mui_ac8e62f4	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_924a71ae0e077dae.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-c..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aac12e1c9878d430.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_114ca177b1fcad24_newdev.exe_7eb73dcd	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_sl-si_8c963396bc18f3f1_msimsg.dll.mui_72e8994f	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-imageanalysis_31bf3856ad364e35_6.1.7601.17514_none_a6821d2940c2bcdc_dbgeng.dll_eefdd445	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_tr-tr_ad816c4fbe2e97f9.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..endencies.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aa95888350c61d70.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..tional-codepage-949_31bf3856ad364e35_6.1.7600.16385_none_ceb1f5a4fc8f1f27_c_949.nls_a711f185	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_el-gr_da723e1e02d551df_bootmgr.efi.mui_be5d0075	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d2d_31bf3856ad364e35_7.1.7601.16492_none_f6dafd66fdb9c254_d2d1.dll_ef77984b	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-raavi_31bf3856ad364e35_6.1.7600.16385_none_a2d43ed8e3097243_raavib.ttf_325ee9c9	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-vrinda_31bf3856ad364e35_6.1.7600.16385_none_d2195f0f72f474c8_vrindab.ttf_790ee52a	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_09cf3ec67e6c6b50_rasppp-repl.man_a0e2d53a	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_hu-hu_094b730a5e9d6729.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_ru-ru_abc131a3483b963e_comctl32.dll.mui_0da4e682	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_sr-..-cs_d00114a57d13e603.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..etype-timesnewroman_31bf3856ad364e35_6.1.7601.17514_none_3b958c66aff6cdb7_timesbd.ttf_a3c367a0	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-raavi_31bf3856ad364e35_6.1.7600.16385_none_a2d43ed8e3097243.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-imm32_31bf3856ad364e35_6.1.7600.16385_none_b84b0fbd941c03a9_imm32.dll_53c2ab30	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2dba46ae3c357fb2_sqlsodbc.chm_92fe0a89	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_en-us_919783112bf8b64b_serialui.dll.mui_7d29d2a3	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_networking-mpssvc-svc.resources_31bf3856ad364e35_6.1.7601.17514_en-us_89701e1decba44ab_mpssvc.dll.mui_4b194b5f	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-sendmail_31bf3856ad364e35_6.1.7600.16385_none_c133165a6a14f67f.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-advapi32_31bf3856ad364e35_6.1.7601.17514_none_e54fbb95e4c3d1bb.manifest	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe

pid process

1440 06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2016 vssvc.exe
Token: SeRestorePrivilege 2016 vssvc.exe
Token: SeAuditPrivilege 2016 vssvc.exe

pid	process
1440	06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe

description	pid	process
Token: SeBackupPrivilege	2016	vssvc.exe
Token: SeRestorePrivilege	2016	vssvc.exe
Token: SeAuditPrivilege	2016	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

description	ioc
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7jh.bmp"

Deletes shadow copies 2 TTPs 1 IoCs
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2024 vssadmin.exe
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

pid	process
2024	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
"C:\Users\Admin\AppData\Local\Temp\06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
- Discovering connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Deletes shadow copies
PID:2024

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-115631094316172553599345339094646428935143215812363921851982921620-1098032287"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1108