sodinokibi | bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38

Resubmissions

14-09-2021 08:49

210914-kq3xmsaddj 10

10-09-2021 11:25

210910-njq62sdbaq 10

Analysis

max time kernel
1789s
max time network
1798s
platform
windows10_x64
resource
win10-en
submitted
14-09-2021 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
Size

144KB
MD5

6eaaae60fecab071f00a117bf4992165
SHA1

3f84dbcedf11fd985c4400ccf7c028eb3c7cfaf8
SHA256

bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38
SHA512

d7768a4cafc855cef3cf41ea5417a2ba9c9847a14fd93d94c3d9c9672f7d2f986cc315cdb753b623aa1101b6da3dce3e839f6b01073b798c0550bcf95a925a1e

Score

10^/10

sodinokibi ransomware spyware stealer suricata

Malware Config

Extracted

Path

C:\127c6q9-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 127c6q9. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9C0C4EB31C69A029 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/9C0C4EB31C69A029 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: pGimByMQxEZz6Gp9nslsFJhk8+VZiRPdLBAFaz3UIAdQLD5eWUK2KdO5VP5fRvwL xgdF0G4jdZ7uZn/654azy2alHZL2D2kVFBGBn2HgtLmxKN709rxF1b6MeDCheWJO el/q6Ukg0exNSJmrZ83cVsi8WAxHfg3kaDr+467IC3gBb8n2MpXAVSifaOMxSMh4 RKYnXahKSPNAKPIIR7YYpMwcSc2iPn7aQodXheoR6bMmqWU21Qo3UNmCupGeFHJ/ t+jJCxYtP12+BBrmmd+lbzLsn/BD3SkteryCgrAyqPQ+zoTtdpcMTLjrpdFGXyjW eZSjbJxrF+0LTL91W80H8ZFTMa39KtSg2jT5RBD+7xrHLTwTRrkWmQaDvIQxhSoB VmfpSTsGw5myo11kI9LpFna8WID+FtutmEMtfdklIBzOqO3wIdGut4PszdTx8Wob j6zfjEX+5oHZ1yuux5xkJo62VIxRcJT92KH50bsqWaNTfS16oFK5thIJYZqupew8 MO8p9uZe2f8DPwz7F/SwCeRr5ahQo5jxclujCp+xItZgDmKUE1TI4+ndthtiw/cs Gu+efiDbFXauxQjshdc9nxUFj3Mggsvokux7+NMIYFL3AlP7mqu9thQgifbcVaJC SrcP0rzZc+nSiJuH0WWYO+9Df/LmLV1iqRNzNxhPOvYzkavDDZ0cZybJBoesxffW hjpeHAaofxxph3yc509yl30wdtq44tG07ETkE37f0FUGURK7mKoSNLCiL8fQKwSB 5ouLr6JgTvdW+kdD0jhooKMX0YdeWtHrFb4K+mziP8olcUksLBRuJHzXp/ucdofE lO106A4ogJadasIAy+VML9lpF0fbsXdYenV4C2kZORWJhVuavCAEPPUBdvwXyXJg tn5V+4+9tXGJOt0iDXK0wkzSMMi7R8jGh/Vh4UXMp9AnDFEza4mTSAhf6nH7Pavw UbWhL8KLTL2SWE0tF5NnUJKErjkj3D/K1s8w05U+kcZrqsm4dcbmQ9QvNkqUKoPC q3w9wY713H9/7aP9KLVkGxL+bM1wuZ6v50f5uj0o74YA48s1YwFbmigW/uMWgmMt 4yfWExahu4m1bLZFqmlFqob5ysfXCiwflU7fstdEWJjlwqDXuIT6uHw0 Extension name: 127c6q9 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9C0C4EB31C69A029

http://decryptor.top/9C0C4EB31C69A029

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
suricata: ET MALWARE Known Sinkhole Response Header
suricata: ET MALWARE Known Sinkhole Response Header
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 16 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ExitHide.tif => \??\c:\users\admin\pictures\ExitHide.tif.127c6q9	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\SwitchConfirm.png => \??\c:\users\admin\pictures\SwitchConfirm.png.127c6q9	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\BackupEnable.png => \??\c:\users\admin\pictures\BackupEnable.png.127c6q9	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\PingReset.tif => \??\c:\users\admin\pictures\PingReset.tif.127c6q9	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\RestartDeny.crw => \??\c:\users\admin\pictures\RestartDeny.crw.127c6q9	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	\??\c:\users\admin\pictures\SuspendCompare.tiff	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\CloseResume.png => \??\c:\users\admin\pictures\CloseResume.png.127c6q9	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\DisconnectGet.tif => \??\c:\users\admin\pictures\DisconnectGet.tif.127c6q9	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\TestClose.raw => \??\c:\users\admin\pictures\TestClose.raw.127c6q9	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\SuspendCompare.tiff => \??\c:\users\admin\pictures\SuspendCompare.tiff.127c6q9	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\StopSend.png => \??\c:\users\admin\pictures\StopSend.png.127c6q9	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\TraceCompare.png => \??\c:\users\admin\pictures\TraceCompare.png.127c6q9	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	\??\c:\users\admin\pictures\ReadDeny.tiff	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\ApproveExpand.png => \??\c:\users\admin\pictures\ApproveExpand.png.127c6q9	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\LimitUnblock.png => \??\c:\users\admin\pictures\LimitUnblock.png.127c6q9	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\ReadDeny.tiff => \??\c:\users\admin\pictures\ReadDeny.tiff.127c6q9	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe

description	ioc	process
File opened (read-only)	\??\E:	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened (read-only)	\??\F:	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened (read-only)	\??\M:	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened (read-only)	\??\X:	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened (read-only)	\??\U:	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened (read-only)	\??\Z:	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened (read-only)	\??\A:	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened (read-only)	\??\I:	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened (read-only)	\??\P:	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened (read-only)	\??\S:	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened (read-only)	\??\R:	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened (read-only)	\??\T:	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened (read-only)	\??\V:	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened (read-only)	\??\B:	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened (read-only)	\??\H:	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened (read-only)	\??\L:	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened (read-only)	\??\Q:	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened (read-only)	\??\O:	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened (read-only)	\??\W:	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened (read-only)	\??\Y:	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened (read-only)	\??\D:	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened (read-only)	\??\G:	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened (read-only)	\??\J:	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened (read-only)	\??\K:	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened (read-only)	\??\N:	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9wdah6.bmp"	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe

Drops file in Program Files directory 28 IoCs

Processes:

bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe

description	ioc	process
File opened for modification	\??\c:\program files\ReceiveSplit.vbe	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	\??\c:\program files\TraceSuspend.mov	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	\??\c:\program files\ConvertDeny.docx	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	\??\c:\program files\PushBackup.au	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	\??\c:\program files\ResolveUndo.ogg	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	\??\c:\program files\InstallUpdate.pptm	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	\??\c:\program files\MeasureUnlock.mp4	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	\??\c:\program files\PublishRename.shtml	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	\??\c:\program files\UndoSelect.dotx	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File created	\??\c:\program files (x86)\d60dff40.lock	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	\??\c:\program files\OptimizeShow.emf	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	\??\c:\program files\RestartFind.cfg	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File created	\??\c:\program files\127c6q9-readme.txt	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	\??\c:\program files\ApproveResolve.vdx	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	\??\c:\program files\RequestUpdate.html	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	\??\c:\program files\GetWait.clr	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	\??\c:\program files\UnprotectOptimize.vsdm	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	\??\c:\program files\AddRedo.M2TS	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	\??\c:\program files\SelectUndo.mpp	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	\??\c:\program files\BackupDebug.otf	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	\??\c:\program files\ConfirmDismount.mht	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	\??\c:\program files\DisconnectConvert.jtx	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	\??\c:\program files\ResetStart.crw	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	\??\c:\program files\ResolveReceive.ram	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File created	\??\c:\program files\d60dff40.lock	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File created	\??\c:\program files (x86)\127c6q9-readme.txt	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	\??\c:\program files\ApprovePush.mhtml	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	\??\c:\program files\RevokeClose.potx	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe

Drops file in Windows directory 64 IoCs

Processes:

bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..gc-kspsvc.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_4d03cf87179eca2a_ngcsvc.dll.mui_96312421	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_fi-fi_735d69029ba32696.manifest	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_bg-bg_0db76bcd0aaf78a5_msimsg.dll.mui_72e8994f	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_es-es_8fb72afa21e2997c.manifest	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.15063.0_en-us_87ac933f1cd28fdb_winload.efi.mui_35ee487d	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.15063.0_none_946aa6202fade3c5_vgasysr.fon_af0ffe9e	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_de-de_5be8d57b685c3b22_scarddlg.dll.mui_300ae9df	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_a75c7e574a334eee_scarddlg.dll.mui_300ae9df	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmpdui.resources_31bf3856ad364e35_10.0.15063.0_en-us_9504eb788afd0242.manifest	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_es-es_d4426455a689346c_bootmgr.exe.mui_c434701f	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.15063.0_de-de_c17bc5b99296773d.manifest	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_es-mx_5a3813d19649f7b4.manifest	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.15063.0_en-us_d84575ef7f0e3162.manifest	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_hu-hu_bc452e16cf9468db_memtest.exe.mui_77b8cbcc	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-session0viewer_31bf3856ad364e35_10.0.15063.0_none_fd4f6b8db3dd79d5.manifest	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_ru-ru_1d981f25f7673e6e_bootmgr.exe.mui_c434701f	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_8514oemr.fon_dbe7e3dc	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-schannel_31bf3856ad364e35_10.0.15063.0_none_332a24478e119029.manifest	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_174418e7a8ce4d04.manifest	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_8514oem.fon_c20e1190	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_ar-sa_91f9f4c8478981a6_comctl32.dll.mui_0da4e682	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_cs-cz_2af083c33a0dd82e_comctl32.dll.mui_0da4e682	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-security-ngc-ksp_31bf3856ad364e35_10.0.15063.0_none_86f219a38104a03f_ngcksp.dll_a56a189a	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_fi-fi_735d69029ba32696_bootmgr.exe.mui_c434701f	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.15063.0_none_946aa6202fade3c5_vgas874.fon_57846913	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-n..orkconnectionbroker_31bf3856ad364e35_10.0.15063.0_none_6dc3296afdb08731_ncbservice.dll_f9d3de7a	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-crypt32-dll_31bf3856ad364e35_10.0.15063.0_none_76d845674b03423d.manifest	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_s8514oem.fon_304f98b5	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_2ed7c061e8031d3f_iprtrmgr.dll.mui_eb023b92	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_pl-pl_58f4e400e2c4328e_comctl32.dll.mui_0da4e682	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_pt-pt_d4cfe0dc645eff33_memtest.exe.mui_77b8cbcc	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_hr-hr_78aafb7af9d71d92_bootmgr.efi.mui_be5d0075	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.15063.0_de-de_2f0789d5a19c2218_wudfplatform.dll.mui_d815d31a	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-dfsclient_31bf3856ad364e35_10.0.15063.0_none_98ae07171eea9e46_dfsc.sys_ff9a943d	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_he-il_87fc497c627dface.manifest	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_pt-br_c999671e308ecd5c_memtest.efi.mui_71e15c22	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-m..lecore-ras-base-vpn_31bf3856ad364e35_10.0.15063.0_none_a1af4bb1e5163dc9_vpntoasticon.png_e607ca23	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-d..vices-sam.resources_31bf3856ad364e35_10.0.15063.0_de-de_86f7ec01bdc8e68b.manifest	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_e9c1351fd8a28638.manifest	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-spp_31bf3856ad364e35_10.0.15063.0_none_2b7530b159c1ac4e_sppmig.dll_22b5b188	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_392c6ab41c63df3a_iprtrmgr.dll.mui_eb023b92	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..opwindowmanager-api_31bf3856ad364e35_10.0.15063.0_none_f122bdc678cc145c_dwmapi.dll_2f4f8b34	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_ru-ru_a156e0fbe8941e0b.manifest	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_fr-ca_c192b575045d79b3.manifest	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_de-de_b9999da0dd11d89a_msimsg.dll.mui_72e8994f	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_hr-hr_5705fc83f923aa47_comctl32.dll.mui_0da4e682	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..temminpnp.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_31d8610f74e14b65_drvcfg.exe.mui_ff2bc967	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_hu-hu_439feb4b4bf29ff6_comctl32.dll.mui_0da4e682	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.15063.0_ja-jp_927b4bdd0caf1fba.manifest	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shsvcs.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_d7d073f8d65d1ad1_shsvcs.dll.mui_b69fccab	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..ient-core.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_443aebdfd447e1c0_wuaueng.dll.mui_297f975d	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_nl-nl_810921f84ce2cbc4.manifest	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directory-services-sam_31bf3856ad364e35_10.0.15063.0_none_c3023296d9c347cc_samlib.dll_caeebf04	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.15063.0_en-us_d24874d4a9b4e91a.manifest	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.15063.0_en-us_67aabff02c2da9b2_iscsidsc.dll.mui_6acb64a6	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.15063.0_de-de_1ad8857af5ad0f23.manifest	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..n-cmdline.resources_31bf3856ad364e35_10.0.15063.0_de-de_37c06abe177a1569.manifest	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_2ae775fa9c77b08e_msimsg.dll.mui_72e8994f	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directui_31bf3856ad364e35_10.0.15063.0_none_c809cce62764b8db.manifest	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-spp_31bf3856ad364e35_10.0.15063.0_none_2b7530b159c1ac4e.manifest	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_de-de_663d7fcd9cbcfd1d_scdeviceenum.dll.mui_815e7662	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_10.0.15063.0_de-de_db9cb62863cfdc98.manifest	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.15063.0_none_eb8784774de6a9ad_iscsitargetportal.cdxml_98b1c4de	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ne-client-overrides_31bf3856ad364e35_10.0.15063.0_none_43849a6a5b3b562b_power.energyestimationengine.cpu.ppkg_d2e30320	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2352 vssadmin.exe

pid	process
2352	vssadmin.exe

Modifies system certificate store 2 TTPs 21 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c0000000100000004000000000800000400000001000000100000001d3554048578b03f42424dbf20730a3f03000000010000001400000002faf3e291435468607857694df5e45b688518687e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8782C6C304353BCFD29692D2593E7D44D934FF11	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8782C6C304353BCFD29692D2593E7D44D934FF11\Blob = 190000000100000010000000e6097c8f76ab46189964b5fe3cd5c1d80f000000010000001400000031d254c62674c351d6e6212f6e53175aade3175c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b0601050507030853000000010000002600000030243022060c6086480186fd64010102040130123010060a2b0601040182373c0101030200c0620000000100000020000000f1c1b50ae5a20dd8030ec9f6bc24823dd367b5255759b4e71b61fce9f7375d731400000001000000140000004232b616fa04fdfe5d4b7ac3fdf74c401d5a43af0b000000010000001400000054007200750073007400770061007600650000001d0000000100000010000000eb1e70cf1ead1152153e79ec90edaba40300000001000000140000008782c6c304353bcfd29692d2593e7d44d934ff11040000000100000010000000dc32c3a76d2557c768099dea2da9a2d12000000001000000bc030000308203b8308202a0a00302010202100cf08e5c0816a5ad427ff0eb271859d0300d06092a864886f70d01010505003048310b30090603550406130255533120301e060355040a1317536563757265547275737420436f72706f726174696f6e311730150603550403130e5365637572655472757374204341301e170d3036313130373139333131385a170d3239313233313139343035355a3048310b30090603550406130255533120301e060355040a1317536563757265547275737420436f72706f726174696f6e311730150603550403130e536563757265547275737420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aba481e595cdf5f6148ec24fcad4e27895589c41e10d9940241739913366e9bee183af625c89d1fc245b61b3e01111411c1d6ef0b8bbf8dea781baa648c69f1dbdbe8ea9413eb894ed291ad48ed2031d03ef6d0d671c57d706adcac8f5fe0eaf66254804960b5da3ba16c3084fd146f8145cf2c85e01996dfd88cc86a8c16f31426c523e68cbf31934dfbb8718568026c4d0dcc06fdfdea0c29116a064114b44bc1ef6e7fa63de66ac76a471a3ec3694687a77a4b1e70e2f817ae2b57286efa26b8bf00fdbd3593fba72bc44249ce373b3f7af572f42269da974ba0052f24bcd537c470b36850e66a90897163457c166f780e3ed7054c793e02e28155987babb0203010001a3819d30819a301306092b060104018237140204061e0400430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604144232b616fa04fdfe5d4b7ac3fdf74c401d5a43af30340603551d1f042d302b3029a027a0258623687474703a2f2f63726c2e73656375726574727573742e636f6d2f535443412e63726c301006092b06010401823715010403020100300d06092a864886f70d0101050500038201010030ed4f4ae1583a52725bb5a6a36518a6bb513b77e99dead39f5ce045657b0dca5be27050b2940514ae49c78d41071273947e0c2321fdbc107f60105a72f5980eacecb97fdd7a6f5dd31cf4ff88056942a90571c8b7ac26e82eb48c6aff71dcb8b1df99bc7c21542be458a2bb5729ae9ea9a319260f992e08b0effd69cf991a098de3a79f2bc936347b24b3784c9517a406261eb66452365f6067d99cc505740be76723d208fc88e9ae8b7fe130f4377efdc632da2d9e4430306cee07ded234fcd2ff40f64bf466460654a6f2320a6326306b9bd1dc8b47bae1b9d562d0a2a0f467057829631a6f04d6f8c64ca39ab137b48de5284b1d9e2cc2b868bced02ee31	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f03000000010000001400000002faf3e291435468607857694df5e45b688518687e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\SystemCertificates\CA\Certificates\247106A405B288A46E70A0262717162D0903E734\Blob = 030000000100000014000000247106a405b288a46e70a0262717162d0903e734140000000100000014000000b390a7d8c9af4ecd613c9f7cad5d7f41fd6930ea0400000001000000100000001a9a69a81f6da92d87f7694e16d8b8790f00000001000000300000009e9609372f45b5101548e8af9a20e0dbf5932dea9b9af86759c2029bc3b53e306e6491f6b15bf00b1e2dee3bb8d43d2219000000010000001000000043e6fa09a3b9d0de6fbe3aacd184c8fd5c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000ed050000308205e9308203d1a003020102021005e4dc3b9438ab3b8597cba6a19850e3300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3134303931323030303030305a170d3234303931313233353935395a305f310b3009060355040613024652310e300c060355040813055061726973310e300c060355040713055061726973310e300c060355040a130547616e64693120301e0603550403131747616e6469205374616e646172642053534c204341203230820122300d06092a864886f70d01010105000382010f003082010a028201010094042da6799574ffd5003cf5aed894b1297cc08f0b0b89b98283976e3728f5a21acfd2920b9ba8d387947384109fdc35cbc22d92ac21b9cb3bfc40c1c18321f0bff8f69cfa9c8210c0d08e4ee50d4cb0915c90b4a4405116dae484122d055ca11f17192451aa7aeae1071b868d0172f2e7d48323399ee0e14c1f6b22a3b41066b0ed8296d76e6ab4f23fb542fcdd8ab5abba2d1d3a759b31dc3e9dac5bd3410d6cb01bf53af579ea21a2f8f433524b242d1ea499b16d48bcb812fe72707cf7fb0275f48dded6dac0a0321a52df386b2e45383f3f049600fda1f4a2bbd517d6277c1b5859955e8a12fd9cab813e52284851856bf391b2863f29b56e0362eed6050203010001a382017530820171301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e04160414b390a7d8c9af4ecd613c9f7cad5d7f41fd6930ea300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b0601050507030230220603551d20041b3019300d060b2b06010401b2310102021a3008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c050003820201005867fd72b26ad77c6196197ed94346d1267dc853fa66b06b2da7d3aa56f73a88d03b72c950fdf759b2aa68f58c7303bb956517ce2f1cdd9813a291c9eea1406e3c98d65cf3b2223c2dee1ba4e1de202416f28c1173913af6face240287ca93ecb4b6c81617c572fc2740f613fe93a69d51ef3c2bd877579b8c653a352536b7b58a636f072793b1608d80db96d47a8f2dab1c88c96e7ed6651faf5dca163f2846dca035e5f9e9e5d596880c4fc6b77767488427b61fb068dbacbf77b090b8a2c91c325d02ba2543814247bbd8e18f0c0c465fee46336b031482d37ecd8faf90d68e247d4042b46a6a17c69597e1f238cda7edb4274093df72a9b8c666633738642230a23bf1b9c87bc8fb293aab1a72d206124ef682d4236f3ec393e5d8b6c0dedc2316d61330b7a09a0e2c5506007001cfea391d80db88f7a520b85bfd3126698f2d0a61833a47a613542c1ee3ed44cabc6a1f280e51d9de0e9f75cd0e0395caf9c5a92a2dfe41a4a147ae0dc2f93966334a5be18428596c7d941776e44582ad7020fdd26f63a8d7faa033fa37cbf7b2659eda506f3fe4a7f38e5d58329770232ee7fdc4159b9c278f32ed17ad58813129111a9bd4fc6c9528c74e0507a6fd1dbc19e2e8b7b9118a2d701252858d8c334a0ffc9992e06370daa594476307e758c7315f053d3655fe83b2e8a6add7e9e6027488745cda34db90d26d510a23d623	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f95c0000000100000004000000000800001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB\Blob = 03000000010000001400000033e4e80807204c2b6182a3a14b591acd25b5f0db1400000001000000140000008d8c5ec454ad8ae177e99bf99b05e1b8018d61e1040000000100000010000000adab5c4df031fb9299f71ada7e18f6130f00000001000000300000008b612b2190a95b28b866b9be5d0b95f368c17534ab1da61a42dfb32766f9ae2908fe6bfd1669be140eddaf0d33e95235190000000100000010000000fc741b3b78cfb31e075744fe5d0eeb965c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf20000000010000001706000030820613308203fba00302010202107d5b5126b476ba11db74160bbc530da7300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3138313130323030303030305a170d3330313233313233353935395a30818f310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313730350603550403132e5365637469676f2052534120446f6d61696e2056616c69646174696f6e205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100d67333d6d73c20d000d21745b8d63e07a23fc741ee3230c9b06cfdf49fcb12980f2d3f8d4d010c820f177f622ee9b84879fb16834eadd7322593b707bfb9503fa94cc3402ae939ffd981ca1f163241da8026b9237a87201ee3ff209a3c95446f8775069040b4329316091008233ed2dd870f6f5d51146a0a69c54f017269cfd3934c6d04a0a31b827eb19ab9edc59ec537789f9a0834fb562e58c4090e06645bbc37dcf19f2868a856b092a35c9fbb8898081b241dab3085aeafb02e9e7a9dc1c0421ce202f0eae04ad2ef900eb4c14016f06f85424a64f7a430a0febf2ea3275a8e8b58b8adc319178463ed6f56fd83cb6034c474bee69ddbe1e4e5ca0c5f150203010001a382016e3082016a301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e041604148d8c5ec454ad8ae177e99bf99b05e1b8018d61e1300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038202010032bf61bd0e48c34fc7ba474df89c781901dc131d806ffcc370b4529a31339a5752fb319e6ba4ef54aa898d401768f811107cd2cab1f15586c7eeb3369186f63951bf46bf0fa0bab4f77e49c42a36179ee468397aaf944e566fb27b3bbf0a86bdcdc5771c03b838b1a21f5f7edb8adc4648b6680acfb2b5b4e234e467a93866095ed2b8fc9d283a174027c2724e29fd213c7ccf13fb962cc53144fd13edd59ba96968777ceee1ffa4f93638085339a284349c19f3be0eacd52437eb23a878d0d3e7ef924764623922efc6f711be2285c6664424268e10328dc893ae079e833e2fd9f9f5468e63bec1e6b4dca6cd21a8860a95d92e85261afdfcb1b657426d95d133f6391406824138f58f58dc805ba4d57d9578fda79bfffdc5a869ab26e7a7a405875ba9b7b8a3200b97a94585ddb38be589378e290dfc0617f638400e42e41206fb7bf3c6116862dfe398f413d8154f8bb169d91060bc642aea31b7e4b5a33a149b26e30b7bfd028eb699c138975936f6a874a286b65eebc664eacfa0a3f96e9eba2d11b6869808582dc9ac2564f25e75b438c1ae7f5a4683ea51cab6f19911356ba56a7bc600b0e7f8be64b2adc8c2f1ace351eaa493e079c8e18140c90a5be1123cc1602ae397c08942ca94cf46981269bb98d0c2d30d724b476ee593c43228638743e4b0323e0ad34bbf239b1429412b9a041f932df1c739483cad5a127f	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70103000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8782C6C304353BCFD29692D2593E7D44D934FF11\Blob = 0f000000010000001400000031d254c62674c351d6e6212f6e53175aade3175c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b0601050507030853000000010000002600000030243022060c6086480186fd64010102040130123010060a2b0601040182373c0101030200c0620000000100000020000000f1c1b50ae5a20dd8030ec9f6bc24823dd367b5255759b4e71b61fce9f7375d731400000001000000140000004232b616fa04fdfe5d4b7ac3fdf74c401d5a43af0b000000010000001400000054007200750073007400770061007600650000001d0000000100000010000000eb1e70cf1ead1152153e79ec90edaba40300000001000000140000008782c6c304353bcfd29692d2593e7d44d934ff112000000001000000bc030000308203b8308202a0a00302010202100cf08e5c0816a5ad427ff0eb271859d0300d06092a864886f70d01010505003048310b30090603550406130255533120301e060355040a1317536563757265547275737420436f72706f726174696f6e311730150603550403130e5365637572655472757374204341301e170d3036313130373139333131385a170d3239313233313139343035355a3048310b30090603550406130255533120301e060355040a1317536563757265547275737420436f72706f726174696f6e311730150603550403130e536563757265547275737420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aba481e595cdf5f6148ec24fcad4e27895589c41e10d9940241739913366e9bee183af625c89d1fc245b61b3e01111411c1d6ef0b8bbf8dea781baa648c69f1dbdbe8ea9413eb894ed291ad48ed2031d03ef6d0d671c57d706adcac8f5fe0eaf66254804960b5da3ba16c3084fd146f8145cf2c85e01996dfd88cc86a8c16f31426c523e68cbf31934dfbb8718568026c4d0dcc06fdfdea0c29116a064114b44bc1ef6e7fa63de66ac76a471a3ec3694687a77a4b1e70e2f817ae2b57286efa26b8bf00fdbd3593fba72bc44249ce373b3f7af572f42269da974ba0052f24bcd537c470b36850e66a90897163457c166f780e3ed7054c793e02e28155987babb0203010001a3819d30819a301306092b060104018237140204061e0400430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604144232b616fa04fdfe5d4b7ac3fdf74c401d5a43af30340603551d1f042d302b3029a027a0258623687474703a2f2f63726c2e73656375726574727573742e636f6d2f535443412e63726c301006092b06010401823715010403020100300d06092a864886f70d0101050500038201010030ed4f4ae1583a52725bb5a6a36518a6bb513b77e99dead39f5ce045657b0dca5be27050b2940514ae49c78d41071273947e0c2321fdbc107f60105a72f5980eacecb97fdd7a6f5dd31cf4ff88056942a90571c8b7ac26e82eb48c6aff71dcb8b1df99bc7c21542be458a2bb5729ae9ea9a319260f992e08b0effd69cf991a098de3a79f2bc936347b24b3784c9517a406261eb66452365f6067d99cc505740be76723d208fc88e9ae8b7fe130f4377efdc632da2d9e4430306cee07ded234fcd2ff40f64bf466460654a6f2320a6326306b9bd1dc8b47bae1b9d562d0a2a0f467057829631a6f04d6f8c64ca39ab137b48de5284b1d9e2cc2b868bced02ee31	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8782C6C304353BCFD29692D2593E7D44D934FF11\Blob = 040000000100000010000000dc32c3a76d2557c768099dea2da9a2d10300000001000000140000008782c6c304353bcfd29692d2593e7d44d934ff111d0000000100000010000000eb1e70cf1ead1152153e79ec90edaba40b000000010000001400000054007200750073007400770061007600650000001400000001000000140000004232b616fa04fdfe5d4b7ac3fdf74c401d5a43af620000000100000020000000f1c1b50ae5a20dd8030ec9f6bc24823dd367b5255759b4e71b61fce9f7375d7353000000010000002600000030243022060c6086480186fd64010102040130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080f000000010000001400000031d254c62674c351d6e6212f6e53175aade3175c2000000001000000bc030000308203b8308202a0a00302010202100cf08e5c0816a5ad427ff0eb271859d0300d06092a864886f70d01010505003048310b30090603550406130255533120301e060355040a1317536563757265547275737420436f72706f726174696f6e311730150603550403130e5365637572655472757374204341301e170d3036313130373139333131385a170d3239313233313139343035355a3048310b30090603550406130255533120301e060355040a1317536563757265547275737420436f72706f726174696f6e311730150603550403130e536563757265547275737420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aba481e595cdf5f6148ec24fcad4e27895589c41e10d9940241739913366e9bee183af625c89d1fc245b61b3e01111411c1d6ef0b8bbf8dea781baa648c69f1dbdbe8ea9413eb894ed291ad48ed2031d03ef6d0d671c57d706adcac8f5fe0eaf66254804960b5da3ba16c3084fd146f8145cf2c85e01996dfd88cc86a8c16f31426c523e68cbf31934dfbb8718568026c4d0dcc06fdfdea0c29116a064114b44bc1ef6e7fa63de66ac76a471a3ec3694687a77a4b1e70e2f817ae2b57286efa26b8bf00fdbd3593fba72bc44249ce373b3f7af572f42269da974ba0052f24bcd537c470b36850e66a90897163457c166f780e3ed7054c793e02e28155987babb0203010001a3819d30819a301306092b060104018237140204061e0400430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604144232b616fa04fdfe5d4b7ac3fdf74c401d5a43af30340603551d1f042d302b3029a027a0258623687474703a2f2f63726c2e73656375726574727573742e636f6d2f535443412e63726c301006092b06010401823715010403020100300d06092a864886f70d0101050500038201010030ed4f4ae1583a52725bb5a6a36518a6bb513b77e99dead39f5ce045657b0dca5be27050b2940514ae49c78d41071273947e0c2321fdbc107f60105a72f5980eacecb97fdd7a6f5dd31cf4ff88056942a90571c8b7ac26e82eb48c6aff71dcb8b1df99bc7c21542be458a2bb5729ae9ea9a319260f992e08b0effd69cf991a098de3a79f2bc936347b24b3784c9517a406261eb66452365f6067d99cc505740be76723d208fc88e9ae8b7fe130f4377efdc632da2d9e4430306cee07ded234fcd2ff40f64bf466460654a6f2320a6326306b9bd1dc8b47bae1b9d562d0a2a0f467057829631a6f04d6f8c64ca39ab137b48de5284b1d9e2cc2b868bced02ee31	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8782C6C304353BCFD29692D2593E7D44D934FF11\Blob = 5c000000010000000400000000080000040000000100000010000000dc32c3a76d2557c768099dea2da9a2d10300000001000000140000008782c6c304353bcfd29692d2593e7d44d934ff111d0000000100000010000000eb1e70cf1ead1152153e79ec90edaba40b000000010000001400000054007200750073007400770061007600650000001400000001000000140000004232b616fa04fdfe5d4b7ac3fdf74c401d5a43af620000000100000020000000f1c1b50ae5a20dd8030ec9f6bc24823dd367b5255759b4e71b61fce9f7375d7353000000010000002600000030243022060c6086480186fd64010102040130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080f000000010000001400000031d254c62674c351d6e6212f6e53175aade3175c190000000100000010000000e6097c8f76ab46189964b5fe3cd5c1d82000000001000000bc030000308203b8308202a0a00302010202100cf08e5c0816a5ad427ff0eb271859d0300d06092a864886f70d01010505003048310b30090603550406130255533120301e060355040a1317536563757265547275737420436f72706f726174696f6e311730150603550403130e5365637572655472757374204341301e170d3036313130373139333131385a170d3239313233313139343035355a3048310b30090603550406130255533120301e060355040a1317536563757265547275737420436f72706f726174696f6e311730150603550403130e536563757265547275737420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aba481e595cdf5f6148ec24fcad4e27895589c41e10d9940241739913366e9bee183af625c89d1fc245b61b3e01111411c1d6ef0b8bbf8dea781baa648c69f1dbdbe8ea9413eb894ed291ad48ed2031d03ef6d0d671c57d706adcac8f5fe0eaf66254804960b5da3ba16c3084fd146f8145cf2c85e01996dfd88cc86a8c16f31426c523e68cbf31934dfbb8718568026c4d0dcc06fdfdea0c29116a064114b44bc1ef6e7fa63de66ac76a471a3ec3694687a77a4b1e70e2f817ae2b57286efa26b8bf00fdbd3593fba72bc44249ce373b3f7af572f42269da974ba0052f24bcd537c470b36850e66a90897163457c166f780e3ed7054c793e02e28155987babb0203010001a3819d30819a301306092b060104018237140204061e0400430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604144232b616fa04fdfe5d4b7ac3fdf74c401d5a43af30340603551d1f042d302b3029a027a0258623687474703a2f2f63726c2e73656375726574727573742e636f6d2f535443412e63726c301006092b06010401823715010403020100300d06092a864886f70d0101050500038201010030ed4f4ae1583a52725bb5a6a36518a6bb513b77e99dead39f5ce045657b0dca5be27050b2940514ae49c78d41071273947e0c2321fdbc107f60105a72f5980eacecb97fdd7a6f5dd31cf4ff88056942a90571c8b7ac26e82eb48c6aff71dcb8b1df99bc7c21542be458a2bb5729ae9ea9a319260f992e08b0effd69cf991a098de3a79f2bc936347b24b3784c9517a406261eb66452365f6067d99cc505740be76723d208fc88e9ae8b7fe130f4377efdc632da2d9e4430306cee07ded234fcd2ff40f64bf466460654a6f2320a6326306b9bd1dc8b47bae1b9d562d0a2a0f467057829631a6f04d6f8c64ca39ab137b48de5284b1d9e2cc2b868bced02ee31	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\SystemCertificates\CA\Certificates\247106A405B288A46E70A0262717162D0903E734	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70103000000010000001400000002faf3e291435468607857694df5e45b688518680400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe

pid	process
4000	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
4000	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
4000	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
4000	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
4000	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
4000	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
4000	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
4000	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
4000	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
4000	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
4000	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
4000	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1868 vssvc.exe
Token: SeRestorePrivilege 1868 vssvc.exe
Token: SeAuditPrivilege 1868 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	1868	vssvc.exe
Token: SeRestorePrivilege	1868	vssvc.exe
Token: SeAuditPrivilege	1868	vssvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.execmd.exe

description	pid	process	target process
PID 4000 wrote to memory of 3920	4000	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe	cmd.exe
PID 4000 wrote to memory of 3920	4000	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe	cmd.exe
PID 4000 wrote to memory of 3920	4000	bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe	cmd.exe
PID 3920 wrote to memory of 2352	3920	cmd.exe	vssadmin.exe
PID 3920 wrote to memory of 2352	3920	cmd.exe	vssadmin.exe
PID 3920 wrote to memory of 2352	3920	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:3920

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:2352

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2352-120-0x0000000000000000-mapping.dmp

Download
memory/3920-119-0x0000000000000000-mapping.dmp

Download
memory/4000-116-0x0000000000F10000-0x0000000000F33000-memory.dmp

Filesize
140KB

Download
memory/4000-117-0x0000000002F40000-0x0000000002F41000-memory.dmp

Filesize
4KB

Download
memory/4000-118-0x0000000002F50000-0x0000000002F56000-memory.dmp

Filesize
24KB

Download
memory/4000-115-0x0000000000F10000-0x0000000000F33000-memory.dmp

Filesize
140KB

Download