sodinokibi | 0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6

Resubmissions

23-08-2021 11:05

210823-nrkcshgr2x 10

26-07-2021 12:42

210726-26nlz7zsf2 10

Analysis

max time kernel
1794s
max time network
1799s
platform
windows10_x64
resource
win10v20210410
submitted
23-08-2021 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
Size

161KB
MD5

98164254301c7670ce8466d7f488608d
SHA1

ce0f5b0b1cf7d5c63848b4c7af1cf4de895e672d
SHA256

0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6
SHA512

39fbf256eae87be00ea51f59ef259f541f53c607cb67479cf3068cf3aeb9119fbf86555027c1e4c895458693fd1b990990088a7d35c1c9f5ffdb7a74a6197621

Score

10^/10

sodinokibi ransomware spyware stealer suricata

Malware Config

Extracted

Path

C:\vms8r46l-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion vms8r46l. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2A6F89CAECC9B2C7 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/2A6F89CAECC9B2C7 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: CNsRlAiSRhCLAK+NB1IBVXgZJBvzsgp9CYwRsyZZni8XNf1F0rqMWpWKMekFRN4f m+g1t9pnkBAeTZDpoqcCNC5YQ9YOwbGRyCr/kO6u9hgvlGI9LRzaQFV+duTQK2WO 83WW/Kff3fYJxNdsfM/9/ZuuTr6ut3J0eo+4h4UMrXus3EzEty35DG3NQ8sN8pPb nE9vNByNSW1fnnI+JkDpyGnp/FRFue4p3ZIQI/iPakDzSOLDUqpDHGbOYHNN+rfl 2byMCUc7p1Rl7i0xilsNuTBTUXWCMPZRZ5TYrF/yrfBf64lWDaaPlWDG6KH7yljq RbaBrJX84pvEV6XRRQsgUD6qAQNDbE2YilHu5a1bLLvK4sJ2kaC5/lXkZnrB2Vyl GtTwkO83YyhIFbEmfjzE2VaFG56Az76VKDV0vc4rzZ2PF9ZJExuOMMVxNRI0QicQ Rja8jCJRzCMIWiwip/h20MDowCBcXcTo/p87laJYRnUdpZgGo+xgykNaMI89huNW aa1qyfJLzkv1Ex7bEdMaDFqJm+BYgAXNU1lsy7LskzUhr9ZLsi6c7t2wZdzyPDCm SWFMLiAZjSsc6HDNZiVlp2yfh0og+HKfXarwl8tcsIEq/Vw/vDei+wXpnU+yDTBT Ao1pCGoqwG1UjkBfRz/UU8+uTwksrRsEAwV1Il5uefQokUsOSR6ShghT+KRz0uya 2xmfdvdUie9kMjCoLDwjKQmEVBM5w4rKwr41fla0S0KIsngKmloKgNPZxzqoqL7G /EqFd84JH4bHagSDJt1aAECNKVZqjcc8v/AaxQRhtxn4fU7/QFmObbR/KpU00MoI G6gLQ2DrwE5DvjZhHV8xiUoNeRfGvZ9sizWd3bCwrcqgGq+YQHDYBjlVVe1m0xwi TFYCDfiRaK7S8lbM78HEbTbEPDmURF+NMGhl6vIl2og4qpwGL3mSsx0ahqPox6tA Y+PXpab7+wgxWPehkiWg7mo5zV94NRN/SVqcDHOKSUX/CIXy0LNHeZHgR0jmbWjY rpMSVf46VsKRyo1om2ZGEYlPp6ogbWJ3esjoPFeULuM+kOlfhqr8d7DRVRZqpzzt hK5LtjsTligcjyiU/8h/CWPqjmZXu91/VjJNB5RRsaQn/t6uU7b2DShCwUJB+A== Extension name: vms8r46l ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2A6F89CAECC9B2C7

http://decryptor.top/2A6F89CAECC9B2C7

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
suricata: ET MALWARE Known Sinkhole Response Header
suricata: ET MALWARE Known Sinkhole Response Header
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe

description	ioc	process
File opened (read-only)	\??\B:	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened (read-only)	\??\K:	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened (read-only)	\??\M:	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened (read-only)	\??\Q:	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened (read-only)	\??\R:	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened (read-only)	\??\X:	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened (read-only)	\??\D:	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened (read-only)	\??\I:	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened (read-only)	\??\L:	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened (read-only)	\??\T:	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened (read-only)	\??\A:	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened (read-only)	\??\G:	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened (read-only)	\??\J:	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened (read-only)	\??\P:	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened (read-only)	\??\W:	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened (read-only)	\??\V:	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened (read-only)	\??\E:	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened (read-only)	\??\F:	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened (read-only)	\??\H:	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened (read-only)	\??\N:	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened (read-only)	\??\O:	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened (read-only)	\??\S:	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened (read-only)	\??\U:	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened (read-only)	\??\Y:	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened (read-only)	\??\Z:	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6b38u9y0.bmp"	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe

Drops file in Program Files directory 33 IoCs

Processes:

0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe

description	ioc	process
File opened for modification	\??\c:\program files\RenameConvertTo.htm	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	\??\c:\program files\UnlockGet.wmv	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	\??\c:\program files\DisableHide.aiff	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	\??\c:\program files\InitializeCompress.jpe	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	\??\c:\program files\NewDisable.rle	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	\??\c:\program files\RestoreMove.vdx	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	\??\c:\program files\RevokeSync.shtml	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File created	\??\c:\program files\vms8r46l-readme.txt	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	\??\c:\program files\LockUnpublish.vstx	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	\??\c:\program files\ConvertToWait.m3u	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	\??\c:\program files\RestoreGrant.cr2	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	\??\c:\program files\ResumeShow.wm	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	\??\c:\program files\CheckpointAdd.ps1xml	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	\??\c:\program files\ExportClear.potm	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	\??\c:\program files\GetResolve.svg	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	\??\c:\program files\LockFormat.dotm	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	\??\c:\program files\WatchPing.dwfx	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	\??\c:\program files\EnterResize.htm	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	\??\c:\program files\GetHide.jpg	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	\??\c:\program files\RegisterJoin.jpg	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	\??\c:\program files\UndoUnregister.jpg	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	\??\c:\program files\UnprotectSplit.png	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	\??\c:\program files\OpenUpdate.ex_	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	\??\c:\program files\OutEdit.vdx	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	\??\c:\program files\CompressMeasure.eprtx	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	\??\c:\program files\CompressStop.vsd	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	\??\c:\program files\ConvertFromMerge.wdp	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	\??\c:\program files\MountImport.pub	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File created	\??\c:\program files (x86)\vms8r46l-readme.txt	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	\??\c:\program files\BlockFormat.dib	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	\??\c:\program files\UseInitialize.3gp2	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	\??\c:\program files\ExpandPush.ex_	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	\??\c:\program files\ShowSearch.potx	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe

Drops file in Windows directory 64 IoCs

Processes:

0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-netio-infrastructure_31bf3856ad364e35_10.0.15063.0_none_67af460eee1c40c7.manifest	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..entication-usermode_31bf3856ad364e35_10.0.15063.0_none_4b359c6cad232586.manifest	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_en-us_04d9ab74573a46e7_scdeviceenum.dll.mui_815e7662	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_10.0.15063.0_none_fb51a18514e4621f_tdx.sys_d0cc4fd9	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-d..wmanager-compositor_31bf3856ad364e35_10.0.15063.0_none_20ead682ac8d69e0_dwmcore.dll_523baf47	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_en-us_8febce1621bba7d7_bootmgfw.efi.mui_a6e78cfa	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.15063.0_en-us_74d5f5c7b3aae50f_userdeviceregistration.ngc.dll.mui_d2c6ca95	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-ntmarta_31bf3856ad364e35_10.0.15063.0_none_8c9a5ae0c87057ba.manifest	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmpdui.resources_31bf3856ad364e35_10.0.15063.0_en-us_8ab04126569c4047_wmpdui.dll.mui_92411657	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-d..ient-core.resources_31bf3856ad364e35_10.0.15063.0_en-us_32ab8a096e6c998f_dnsapi.dll.mui_97465f8a	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.15063.0_en-us_dc9d1f26de15ab15_gpapi.dll.mui_ef0a9748	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-gdi_31bf3856ad364e35_10.0.15063.0_none_c53b9c03c7b5d8af_fontsub.dll_367a1189	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_es-mx_704919a91fc309dc_comctl32.dll.mui_0da4e682	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_10.0.15063.0_none_0ecb907c70c8a1bf.manifest	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_lt-lt_ce3b1a34396db477.manifest	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..-configuration-data_31bf3856ad364e35_10.0.15063.0_none_1dd4f4fd8d1ebaaf.manifest	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_nb-no_8d1e810c801783ea_memtest.exe.mui_77b8cbcc	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ole-automation_31bf3856ad364e35_10.0.15063.0_none_d868ae1968a9ae8b_oleaut32.dll_730e3d41	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-transactionmanagerapi_31bf3856ad364e35_10.0.15063.0_none_0bcc8dc1546963cf_ktmw32.dll_835a43ee	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_es-mx_a35c198187d0c729_comctl32.dll.mui_0da4e682	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_th-th_f86cf2fb5a7af7cf.manifest	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_zh-cn_27839b07aafca9cf_memtest.efi.mui_71e15c22	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-time-service.resources_31bf3856ad364e35_10.0.15063.0_en-us_6419a60bccec5b88_w32time.dll.mui_b382d4b4	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winlogon-sysntfy_31bf3856ad364e35_10.0.15063.0_none_6686cc5b4881feb6_sysntfy.dll_6c0b60ae	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_de-de_b0bbc22785bbbd0e.manifest	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_el-gr_fbbc855ddf690df7.manifest	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_lt-lt_e44c200bc2e6c69f.manifest	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gdi32_31bf3856ad364e35_10.0.15063.0_none_6a928335822044d3.manifest	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.15063.0_none_58a3b1f2dbb10121_sxsoa.dll_cb87188c	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-usermodepowerservice_31bf3856ad364e35_10.0.15063.0_none_6f1e604385420c54.manifest	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-commonlog_31bf3856ad364e35_10.0.15063.0_none_8f9673e6605abf5d.manifest	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ient-core.resources_31bf3856ad364e35_10.0.15063.0_en-us_2856dfb73a0bd794_dnsapi.dll.mui_97465f8a	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.15063.0_none_946aa6202fade3c5_8514sysg.fon_d69594ed	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_he-il_0d3c12cce5f4147b_comctl32.dll.mui_0da4e682	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_zh-tw_5f99d587c3c467b0.manifest	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_lv-lv_06be8d86c3187ada_bootmgr.efi.mui_be5d0075	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-basedependencies_31bf3856ad364e35_10.0.15063.0_none_13b5cafd619e21a8.manifest	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_fab89c2a8a882a6b.manifest	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ne-client-overrides_31bf3856ad364e35_10.0.15063.0_none_43849a6a5b3b562b.manifest	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.15063.0_none_3fe4b2c9ef33a509_applockercsp.dll_771a831b	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wintrust-dll_31bf3856ad364e35_10.0.15063.0_none_00c212fed2df9e6b_wintrust.dll_abec426a	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.15063.0_en-us_e5db677400777894.manifest	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_networking-mpssvc-drv.resources_31bf3856ad364e35_10.0.15063.0_en-us_692cd2ccf2f68bd9.manifest	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_lv-lv_182c8e682a72c4dc_comctl32.dll.mui_0da4e682	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase-raspptp_31bf3856ad364e35_10.0.15063.0_none_ab02f81220a59684.manifest	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-keyiso.resources_31bf3856ad364e35_10.0.15063.0_en-us_25f384cce1402e82.manifest	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_he-il_54e949a3fa703d81_comctl32.dll.mui_0da4e682	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver_31bf3856ad364e35_10.0.15063.0_none_bcbd1290a09b9a77_mprdim.dll_8e5e0893	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.15063.0_en-us_71c1f73248e2ec42.manifest	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_th-th_e3d2bbfcae0c8c16.manifest	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-userenv_31bf3856ad364e35_10.0.15063.0_none_aba8edfeb8725505.manifest	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_vga950.fon_09ed4d3d	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-netapi32_31bf3856ad364e35_10.0.15063.0_none_9e47f44c3a5e979a_netapi32.dll_8b1e859a	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_hu-hu_108ceb72e3e4e2a9_comctl32.dll.mui_0da4e682	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-shlwapi_31bf3856ad364e35_10.0.15063.0_none_aeceefba2520337c_shlwapi.dll_1eec0a2e	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_ro-ro_e8129b1fdba02ab0.manifest	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.15063.0_none_946aa6202fade3c5_85s1255.fon_3e2f9644	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_pt-pt_29179e3878af7901.manifest	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_ko-kr_ce5152af8ee877a4_msimsg.dll.mui_72e8994f	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.15063.0_none_6c3a936ba57599b0_winresume.efi_85cd069f	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lsa-minwin_31bf3856ad364e35_10.0.15063.0_none_4e7f7ad6cb1d2087_sspicli.dll_bcec1809	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ertificates-utility_31bf3856ad364e35_10.0.15063.0_none_9a11856b637894e6.manifest	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_nb-no_14793e40fc75bb05_comctl32.dll.mui_0da4e682	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_pt-br_5b48cea4e14dc672.manifest	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3936 vssadmin.exe

pid	process
3936	vssadmin.exe

Modifies system certificate store 2 TTPs 25 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 5c00000001000000040000000008000019000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877604000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\SystemCertificates\CA\Certificates\247106A405B288A46E70A0262717162D0903E734\Blob = 030000000100000014000000247106a405b288a46e70a0262717162d0903e734140000000100000014000000b390a7d8c9af4ecd613c9f7cad5d7f41fd6930ea0400000001000000100000001a9a69a81f6da92d87f7694e16d8b8790f00000001000000300000009e9609372f45b5101548e8af9a20e0dbf5932dea9b9af86759c2029bc3b53e306e6491f6b15bf00b1e2dee3bb8d43d2219000000010000001000000043e6fa09a3b9d0de6fbe3aacd184c8fd5c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000ed050000308205e9308203d1a003020102021005e4dc3b9438ab3b8597cba6a19850e3300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3134303931323030303030305a170d3234303931313233353935395a305f310b3009060355040613024652310e300c060355040813055061726973310e300c060355040713055061726973310e300c060355040a130547616e64693120301e0603550403131747616e6469205374616e646172642053534c204341203230820122300d06092a864886f70d01010105000382010f003082010a028201010094042da6799574ffd5003cf5aed894b1297cc08f0b0b89b98283976e3728f5a21acfd2920b9ba8d387947384109fdc35cbc22d92ac21b9cb3bfc40c1c18321f0bff8f69cfa9c8210c0d08e4ee50d4cb0915c90b4a4405116dae484122d055ca11f17192451aa7aeae1071b868d0172f2e7d48323399ee0e14c1f6b22a3b41066b0ed8296d76e6ab4f23fb542fcdd8ab5abba2d1d3a759b31dc3e9dac5bd3410d6cb01bf53af579ea21a2f8f433524b242d1ea499b16d48bcb812fe72707cf7fb0275f48dded6dac0a0321a52df386b2e45383f3f049600fda1f4a2bbd517d6277c1b5859955e8a12fd9cab813e52284851856bf391b2863f29b56e0362eed6050203010001a382017530820171301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e04160414b390a7d8c9af4ecd613c9f7cad5d7f41fd6930ea300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b0601050507030230220603551d20041b3019300d060b2b06010401b2310102021a3008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c050003820201005867fd72b26ad77c6196197ed94346d1267dc853fa66b06b2da7d3aa56f73a88d03b72c950fdf759b2aa68f58c7303bb956517ce2f1cdd9813a291c9eea1406e3c98d65cf3b2223c2dee1ba4e1de202416f28c1173913af6face240287ca93ecb4b6c81617c572fc2740f613fe93a69d51ef3c2bd877579b8c653a352536b7b58a636f072793b1608d80db96d47a8f2dab1c88c96e7ed6651faf5dca163f2846dca035e5f9e9e5d596880c4fc6b77767488427b61fb068dbacbf77b090b8a2c91c325d02ba2543814247bbd8e18f0c0c465fee46336b031482d37ecd8faf90d68e247d4042b46a6a17c69597e1f238cda7edb4274093df72a9b8c666633738642230a23bf1b9c87bc8fb293aab1a72d206124ef682d4236f3ec393e5d8b6c0dedc2316d61330b7a09a0e2c5506007001cfea391d80db88f7a520b85bfd3126698f2d0a61833a47a613542c1ee3ed44cabc6a1f280e51d9de0e9f75cd0e0395caf9c5a92a2dfe41a4a147ae0dc2f93966334a5be18428596c7d941776e44582ad7020fdd26f63a8d7faa033fa37cbf7b2659eda506f3fe4a7f38e5d58329770232ee7fdc4159b9c278f32ed17ad58813129111a9bd4fc6c9528c74e0507a6fd1dbc19e2e8b7b9118a2d701252858d8c334a0ffc9992e06370daa594476307e758c7315f053d3655fe83b2e8a6add7e9e6027488745cda34db90d26d510a23d623	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8782C6C304353BCFD29692D2593E7D44D934FF11	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8782C6C304353BCFD29692D2593E7D44D934FF11\Blob = 0f000000010000001400000031d254c62674c351d6e6212f6e53175aade3175c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b0601050507030853000000010000002600000030243022060c6086480186fd64010102040130123010060a2b0601040182373c0101030200c0620000000100000020000000f1c1b50ae5a20dd8030ec9f6bc24823dd367b5255759b4e71b61fce9f7375d731400000001000000140000004232b616fa04fdfe5d4b7ac3fdf74c401d5a43af0b000000010000001400000054007200750073007400770061007600650000001d0000000100000010000000eb1e70cf1ead1152153e79ec90edaba40300000001000000140000008782c6c304353bcfd29692d2593e7d44d934ff112000000001000000bc030000308203b8308202a0a00302010202100cf08e5c0816a5ad427ff0eb271859d0300d06092a864886f70d01010505003048310b30090603550406130255533120301e060355040a1317536563757265547275737420436f72706f726174696f6e311730150603550403130e5365637572655472757374204341301e170d3036313130373139333131385a170d3239313233313139343035355a3048310b30090603550406130255533120301e060355040a1317536563757265547275737420436f72706f726174696f6e311730150603550403130e536563757265547275737420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aba481e595cdf5f6148ec24fcad4e27895589c41e10d9940241739913366e9bee183af625c89d1fc245b61b3e01111411c1d6ef0b8bbf8dea781baa648c69f1dbdbe8ea9413eb894ed291ad48ed2031d03ef6d0d671c57d706adcac8f5fe0eaf66254804960b5da3ba16c3084fd146f8145cf2c85e01996dfd88cc86a8c16f31426c523e68cbf31934dfbb8718568026c4d0dcc06fdfdea0c29116a064114b44bc1ef6e7fa63de66ac76a471a3ec3694687a77a4b1e70e2f817ae2b57286efa26b8bf00fdbd3593fba72bc44249ce373b3f7af572f42269da974ba0052f24bcd537c470b36850e66a90897163457c166f780e3ed7054c793e02e28155987babb0203010001a3819d30819a301306092b060104018237140204061e0400430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604144232b616fa04fdfe5d4b7ac3fdf74c401d5a43af30340603551d1f042d302b3029a027a0258623687474703a2f2f63726c2e73656375726574727573742e636f6d2f535443412e63726c301006092b06010401823715010403020100300d06092a864886f70d0101050500038201010030ed4f4ae1583a52725bb5a6a36518a6bb513b77e99dead39f5ce045657b0dca5be27050b2940514ae49c78d41071273947e0c2321fdbc107f60105a72f5980eacecb97fdd7a6f5dd31cf4ff88056942a90571c8b7ac26e82eb48c6aff71dcb8b1df99bc7c21542be458a2bb5729ae9ea9a319260f992e08b0effd69cf991a098de3a79f2bc936347b24b3784c9517a406261eb66452365f6067d99cc505740be76723d208fc88e9ae8b7fe130f4377efdc632da2d9e4430306cee07ded234fcd2ff40f64bf466460654a6f2320a6326306b9bd1dc8b47bae1b9d562d0a2a0f467057829631a6f04d6f8c64ca39ab137b48de5284b1d9e2cc2b868bced02ee31	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8782C6C304353BCFD29692D2593E7D44D934FF11\Blob = 190000000100000010000000e6097c8f76ab46189964b5fe3cd5c1d80f000000010000001400000031d254c62674c351d6e6212f6e53175aade3175c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b0601050507030853000000010000002600000030243022060c6086480186fd64010102040130123010060a2b0601040182373c0101030200c0620000000100000020000000f1c1b50ae5a20dd8030ec9f6bc24823dd367b5255759b4e71b61fce9f7375d731400000001000000140000004232b616fa04fdfe5d4b7ac3fdf74c401d5a43af0b000000010000001400000054007200750073007400770061007600650000001d0000000100000010000000eb1e70cf1ead1152153e79ec90edaba40300000001000000140000008782c6c304353bcfd29692d2593e7d44d934ff11040000000100000010000000dc32c3a76d2557c768099dea2da9a2d12000000001000000bc030000308203b8308202a0a00302010202100cf08e5c0816a5ad427ff0eb271859d0300d06092a864886f70d01010505003048310b30090603550406130255533120301e060355040a1317536563757265547275737420436f72706f726174696f6e311730150603550403130e5365637572655472757374204341301e170d3036313130373139333131385a170d3239313233313139343035355a3048310b30090603550406130255533120301e060355040a1317536563757265547275737420436f72706f726174696f6e311730150603550403130e536563757265547275737420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aba481e595cdf5f6148ec24fcad4e27895589c41e10d9940241739913366e9bee183af625c89d1fc245b61b3e01111411c1d6ef0b8bbf8dea781baa648c69f1dbdbe8ea9413eb894ed291ad48ed2031d03ef6d0d671c57d706adcac8f5fe0eaf66254804960b5da3ba16c3084fd146f8145cf2c85e01996dfd88cc86a8c16f31426c523e68cbf31934dfbb8718568026c4d0dcc06fdfdea0c29116a064114b44bc1ef6e7fa63de66ac76a471a3ec3694687a77a4b1e70e2f817ae2b57286efa26b8bf00fdbd3593fba72bc44249ce373b3f7af572f42269da974ba0052f24bcd537c470b36850e66a90897163457c166f780e3ed7054c793e02e28155987babb0203010001a3819d30819a301306092b060104018237140204061e0400430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604144232b616fa04fdfe5d4b7ac3fdf74c401d5a43af30340603551d1f042d302b3029a027a0258623687474703a2f2f63726c2e73656375726574727573742e636f6d2f535443412e63726c301006092b06010401823715010403020100300d06092a864886f70d0101050500038201010030ed4f4ae1583a52725bb5a6a36518a6bb513b77e99dead39f5ce045657b0dca5be27050b2940514ae49c78d41071273947e0c2321fdbc107f60105a72f5980eacecb97fdd7a6f5dd31cf4ff88056942a90571c8b7ac26e82eb48c6aff71dcb8b1df99bc7c21542be458a2bb5729ae9ea9a319260f992e08b0effd69cf991a098de3a79f2bc936347b24b3784c9517a406261eb66452365f6067d99cc505740be76723d208fc88e9ae8b7fe130f4377efdc632da2d9e4430306cee07ded234fcd2ff40f64bf466460654a6f2320a6326306b9bd1dc8b47bae1b9d562d0a2a0f467057829631a6f04d6f8c64ca39ab137b48de5284b1d9e2cc2b868bced02ee31	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 19000000010000001000000060e2dc65295f1062e558f3fef235ed3c030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e1d000000010000001000000054e2cd85ba79cda018fed9e6a863aa461400000001000000140000007c0c321fa7d9307fc47d68a362a8a1ceab075b276200000001000000200000002ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f553000000010000002500000030233021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b000000010000005400000053007400610072006600690065006c006400200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000132020004700320000000f000000010000002000000071b437f087f3700ffd4e2fa46f42b6b810d7bf19adfedf951c023edd65b50b052000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f03000000010000001400000002faf3e291435468607857694df5e45b688518687e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70103000000010000001400000002faf3e291435468607857694df5e45b688518680400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8782C6C304353BCFD29692D2593E7D44D934FF11\Blob = 040000000100000010000000dc32c3a76d2557c768099dea2da9a2d10300000001000000140000008782c6c304353bcfd29692d2593e7d44d934ff111d0000000100000010000000eb1e70cf1ead1152153e79ec90edaba40b000000010000001400000054007200750073007400770061007600650000001400000001000000140000004232b616fa04fdfe5d4b7ac3fdf74c401d5a43af620000000100000020000000f1c1b50ae5a20dd8030ec9f6bc24823dd367b5255759b4e71b61fce9f7375d7353000000010000002600000030243022060c6086480186fd64010102040130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080f000000010000001400000031d254c62674c351d6e6212f6e53175aade3175c2000000001000000bc030000308203b8308202a0a00302010202100cf08e5c0816a5ad427ff0eb271859d0300d06092a864886f70d01010505003048310b30090603550406130255533120301e060355040a1317536563757265547275737420436f72706f726174696f6e311730150603550403130e5365637572655472757374204341301e170d3036313130373139333131385a170d3239313233313139343035355a3048310b30090603550406130255533120301e060355040a1317536563757265547275737420436f72706f726174696f6e311730150603550403130e536563757265547275737420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aba481e595cdf5f6148ec24fcad4e27895589c41e10d9940241739913366e9bee183af625c89d1fc245b61b3e01111411c1d6ef0b8bbf8dea781baa648c69f1dbdbe8ea9413eb894ed291ad48ed2031d03ef6d0d671c57d706adcac8f5fe0eaf66254804960b5da3ba16c3084fd146f8145cf2c85e01996dfd88cc86a8c16f31426c523e68cbf31934dfbb8718568026c4d0dcc06fdfdea0c29116a064114b44bc1ef6e7fa63de66ac76a471a3ec3694687a77a4b1e70e2f817ae2b57286efa26b8bf00fdbd3593fba72bc44249ce373b3f7af572f42269da974ba0052f24bcd537c470b36850e66a90897163457c166f780e3ed7054c793e02e28155987babb0203010001a3819d30819a301306092b060104018237140204061e0400430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604144232b616fa04fdfe5d4b7ac3fdf74c401d5a43af30340603551d1f042d302b3029a027a0258623687474703a2f2f63726c2e73656375726574727573742e636f6d2f535443412e63726c301006092b06010401823715010403020100300d06092a864886f70d0101050500038201010030ed4f4ae1583a52725bb5a6a36518a6bb513b77e99dead39f5ce045657b0dca5be27050b2940514ae49c78d41071273947e0c2321fdbc107f60105a72f5980eacecb97fdd7a6f5dd31cf4ff88056942a90571c8b7ac26e82eb48c6aff71dcb8b1df99bc7c21542be458a2bb5729ae9ea9a319260f992e08b0effd69cf991a098de3a79f2bc936347b24b3784c9517a406261eb66452365f6067d99cc505740be76723d208fc88e9ae8b7fe130f4377efdc632da2d9e4430306cee07ded234fcd2ff40f64bf466460654a6f2320a6326306b9bd1dc8b47bae1b9d562d0a2a0f467057829631a6f04d6f8c64ca39ab137b48de5284b1d9e2cc2b868bced02ee31	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\SystemCertificates\CA\Certificates\4DEEA7060D80BABF1643B4E0F0104C82995075B7	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\SystemCertificates\CA\Certificates\247106A405B288A46E70A0262717162D0903E734	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f95c0000000100000004000000000800001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c0000000100000004000000000800000400000001000000100000001d3554048578b03f42424dbf20730a3f03000000010000001400000002faf3e291435468607857694df5e45b688518687e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee419000000010000001000000063664b080559a094d10f0a3c5f4f629020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8782C6C304353BCFD29692D2593E7D44D934FF11\Blob = 5c000000010000000400000000080000040000000100000010000000dc32c3a76d2557c768099dea2da9a2d10300000001000000140000008782c6c304353bcfd29692d2593e7d44d934ff111d0000000100000010000000eb1e70cf1ead1152153e79ec90edaba40b000000010000001400000054007200750073007400770061007600650000001400000001000000140000004232b616fa04fdfe5d4b7ac3fdf74c401d5a43af620000000100000020000000f1c1b50ae5a20dd8030ec9f6bc24823dd367b5255759b4e71b61fce9f7375d7353000000010000002600000030243022060c6086480186fd64010102040130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080f000000010000001400000031d254c62674c351d6e6212f6e53175aade3175c190000000100000010000000e6097c8f76ab46189964b5fe3cd5c1d82000000001000000bc030000308203b8308202a0a00302010202100cf08e5c0816a5ad427ff0eb271859d0300d06092a864886f70d01010505003048310b30090603550406130255533120301e060355040a1317536563757265547275737420436f72706f726174696f6e311730150603550403130e5365637572655472757374204341301e170d3036313130373139333131385a170d3239313233313139343035355a3048310b30090603550406130255533120301e060355040a1317536563757265547275737420436f72706f726174696f6e311730150603550403130e536563757265547275737420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aba481e595cdf5f6148ec24fcad4e27895589c41e10d9940241739913366e9bee183af625c89d1fc245b61b3e01111411c1d6ef0b8bbf8dea781baa648c69f1dbdbe8ea9413eb894ed291ad48ed2031d03ef6d0d671c57d706adcac8f5fe0eaf66254804960b5da3ba16c3084fd146f8145cf2c85e01996dfd88cc86a8c16f31426c523e68cbf31934dfbb8718568026c4d0dcc06fdfdea0c29116a064114b44bc1ef6e7fa63de66ac76a471a3ec3694687a77a4b1e70e2f817ae2b57286efa26b8bf00fdbd3593fba72bc44249ce373b3f7af572f42269da974ba0052f24bcd537c470b36850e66a90897163457c166f780e3ed7054c793e02e28155987babb0203010001a3819d30819a301306092b060104018237140204061e0400430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604144232b616fa04fdfe5d4b7ac3fdf74c401d5a43af30340603551d1f042d302b3029a027a0258623687474703a2f2f63726c2e73656375726574727573742e636f6d2f535443412e63726c301006092b06010401823715010403020100300d06092a864886f70d0101050500038201010030ed4f4ae1583a52725bb5a6a36518a6bb513b77e99dead39f5ce045657b0dca5be27050b2940514ae49c78d41071273947e0c2321fdbc107f60105a72f5980eacecb97fdd7a6f5dd31cf4ff88056942a90571c8b7ac26e82eb48c6aff71dcb8b1df99bc7c21542be458a2bb5729ae9ea9a319260f992e08b0effd69cf991a098de3a79f2bc936347b24b3784c9517a406261eb66452365f6067d99cc505740be76723d208fc88e9ae8b7fe130f4377efdc632da2d9e4430306cee07ded234fcd2ff40f64bf466460654a6f2320a6326306b9bd1dc8b47bae1b9d562d0a2a0f467057829631a6f04d6f8c64ca39ab137b48de5284b1d9e2cc2b868bced02ee31	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70103000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB\Blob = 03000000010000001400000033e4e80807204c2b6182a3a14b591acd25b5f0db1400000001000000140000008d8c5ec454ad8ae177e99bf99b05e1b8018d61e1040000000100000010000000adab5c4df031fb9299f71ada7e18f6130f00000001000000300000008b612b2190a95b28b866b9be5d0b95f368c17534ab1da61a42dfb32766f9ae2908fe6bfd1669be140eddaf0d33e95235190000000100000010000000fc741b3b78cfb31e075744fe5d0eeb965c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf20000000010000001706000030820613308203fba00302010202107d5b5126b476ba11db74160bbc530da7300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3138313130323030303030305a170d3330313233313233353935395a30818f310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313730350603550403132e5365637469676f2052534120446f6d61696e2056616c69646174696f6e205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100d67333d6d73c20d000d21745b8d63e07a23fc741ee3230c9b06cfdf49fcb12980f2d3f8d4d010c820f177f622ee9b84879fb16834eadd7322593b707bfb9503fa94cc3402ae939ffd981ca1f163241da8026b9237a87201ee3ff209a3c95446f8775069040b4329316091008233ed2dd870f6f5d51146a0a69c54f017269cfd3934c6d04a0a31b827eb19ab9edc59ec537789f9a0834fb562e58c4090e06645bbc37dcf19f2868a856b092a35c9fbb8898081b241dab3085aeafb02e9e7a9dc1c0421ce202f0eae04ad2ef900eb4c14016f06f85424a64f7a430a0febf2ea3275a8e8b58b8adc319178463ed6f56fd83cb6034c474bee69ddbe1e4e5ca0c5f150203010001a382016e3082016a301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e041604148d8c5ec454ad8ae177e99bf99b05e1b8018d61e1300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038202010032bf61bd0e48c34fc7ba474df89c781901dc131d806ffcc370b4529a31339a5752fb319e6ba4ef54aa898d401768f811107cd2cab1f15586c7eeb3369186f63951bf46bf0fa0bab4f77e49c42a36179ee468397aaf944e566fb27b3bbf0a86bdcdc5771c03b838b1a21f5f7edb8adc4648b6680acfb2b5b4e234e467a93866095ed2b8fc9d283a174027c2724e29fd213c7ccf13fb962cc53144fd13edd59ba96968777ceee1ffa4f93638085339a284349c19f3be0eacd52437eb23a878d0d3e7ef924764623922efc6f711be2285c6664424268e10328dc893ae079e833e2fd9f9f5468e63bec1e6b4dca6cd21a8860a95d92e85261afdfcb1b657426d95d133f6391406824138f58f58dc805ba4d57d9578fda79bfffdc5a869ab26e7a7a405875ba9b7b8a3200b97a94585ddb38be589378e290dfc0617f638400e42e41206fb7bf3c6116862dfe398f413d8154f8bb169d91060bc642aea31b7e4b5a33a149b26e30b7bfd028eb699c138975936f6a874a286b65eebc664eacfa0a3f96e9eba2d11b6869808582dc9ac2564f25e75b438c1ae7f5a4683ea51cab6f19911356ba56a7bc600b0e7f8be64b2adc8c2f1ace351eaa493e079c8e18140c90a5be1123cc1602ae397c08942ca94cf46981269bb98d0c2d30d724b476ee593c43228638743e4b0323e0ad34bbf239b1429412b9a041f932df1c739483cad5a127f	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\SystemCertificates\CA\Certificates\4DEEA7060D80BABF1643B4E0F0104C82995075B7\Blob = 0300000001000000140000004deea7060d80babf1643b4e0f0104c82995075b7140000000100000014000000a3c85e6554e53078c105ea070a6a59ccb9fede5a04000000010000001000000042672e72f86c9ba154608d36bccd3c610f0000000100000020000000a2ffac7663c45d94e0bb448815febe55f1ed76a0bdab23cba1080a7e810b2f97190000000100000010000000a11334ea9745e3adfe3d13cffef49c545c0000000100000004000000000800001800000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee20000000010000008d0400003082048930820371a0030201020210025a8aef196f7e0d6c2104b21ae6702b300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3137313130363132323335325a170d3237313130363132323335325a305c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d311b30190603550403131254686177746520525341204341203230313830820122300d06092a864886f70d01010105000382010f003082010a0282010100ca085ee5538a971c1e432fb68aa756e98b8443a8ac9d7a55827a144b86b72f8f529f1ccab1205b6fba22dda69c2d78dae906084ebe13a6ebcbbb3eb9050c3e4ae1f0321f134ef506c54773893e80a38bf101249ba39966926b68ad0d2db4cd72a2f4f9385a65a6b48c53c1081a84f8fd2ef311756edc6a3129ac0d87cc936078df25ba265991c6835235a6ca9cb8281aced71cee14bf765c65ab381e79e97ccc492326a2525066d05961ffa0fe9a4c0c9ff9e88ede098bb815c1a4084c269c7b06dbfd8a745b587ecd63a4912f45f07a3c940b8a7cb205a967939f68e5956360d858955fe055ef93a7113b7ce692d86644e0abbda78fcda48578412454e7d8030203010001a38201403082013c301d0603551d0e04160414a3c85e6554e53078c105ea070a6a59ccb9fede5a301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b0601050507030230120603551d130101ff040830060101ff020100303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d30420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c303d0603551d200436303430320604551d2000302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300d06092a864886f70d01010b05000382010100444d85e5dd1c828ce164d5a89022df761865ea65d23b25374a83da9987167cb1f50b33300fc6b5fa916fc072107ef9705c51fc32b8c1dc2fa35686cd6d5591ae0a92dc9b1ad25b511ff15fb3a65380fe162589b548da546e047b2d6503d85f8f4ef28133f81ff5e4b2a8fe0e889b2561a6b7f0d535695031648d79a3ee315f845932a2972080531b657ea0f063435a0f9871800bfc96b7679386f6fcfeb7bb3a94a951d2727c67fded778ce0f889025ebee07417863c0ded93d92ab42ff40cb7dcc82660b55003ec7d1ce3595f1f6fbf2f2997d6eef8d55858a1b1cc6c412b4081a3399550279740f24a3d3665798b8d335f295353fc5e1d420e0b8cf991287b	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe

pid	process
3904	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
3904	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
3904	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
3904	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
3904	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
3904	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
3904	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
3904	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
3904	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
3904	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
3904	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
3904	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1344 vssvc.exe
Token: SeRestorePrivilege 1344 vssvc.exe
Token: SeAuditPrivilege 1344 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	1344	vssvc.exe
Token: SeRestorePrivilege	1344	vssvc.exe
Token: SeAuditPrivilege	1344	vssvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.execmd.exe

description	pid	process	target process
PID 3904 wrote to memory of 1248	3904	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe	cmd.exe
PID 3904 wrote to memory of 1248	3904	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe	cmd.exe
PID 3904 wrote to memory of 1248	3904	0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe	cmd.exe
PID 1248 wrote to memory of 3936	1248	cmd.exe	vssadmin.exe
PID 1248 wrote to memory of 3936	1248	cmd.exe	vssadmin.exe
PID 1248 wrote to memory of 3936	1248	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe
"C:\Users\Admin\AppData\Local\Temp\0d7f296d0b7ad462d55d49c374ef271f5898c3487192bff7b157942280b876b6.sample.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:3936

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1248-119-0x0000000000000000-mapping.dmp

Download
memory/3904-114-0x0000000000750000-0x00000000007FE000-memory.dmp

Filesize
696KB

Download
memory/3904-115-0x0000000000B00000-0x0000000000C4A000-memory.dmp

Filesize
1.3MB

Download
memory/3904-116-0x0000000000B00000-0x0000000000C4A000-memory.dmp

Filesize
1.3MB

Download
memory/3904-117-0x0000000000B00000-0x0000000000C4A000-memory.dmp

Filesize
1.3MB

Download
memory/3904-118-0x0000000000B00000-0x0000000000C4A000-memory.dmp

Filesize
1.3MB

Download
memory/3936-120-0x0000000000000000-mapping.dmp

Download