sodinokibi | 21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3

Resubmissions

14-09-2021 08:49

210914-krgqssfdd9 10

13-09-2021 13:07

210913-qcw5tsggfk 10

Analysis

max time kernel
1802s
max time network
1799s
platform
windows10_x64
resource
win10-en
submitted
14-09-2021 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
Size

165KB
MD5

fad3cd9094f43e48c8e5061aeb2d76ed
SHA1

cdeb9d27b479ecd25e0ebcda4cfdcff8b969470b
SHA256

21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3
SHA512

9063789eab4ea880199791d5f66196b513bdb206991e22e7a991dbc47ffb0aa837e1452de7440985adb7f35e38b6ab7d15ebfce64e1ac2e2c91545876326e015

Score

10^/10

sodinokibi ransomware spyware stealer

Malware Config

Extracted

Path

C:\vop1j504_Wannadie.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension vop1j504. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A22888B8FBEFBD28 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/A22888B8FBEFBD28 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: NDU+1O1CvzDkrNyjdqeJHJFrMS0jzAQZWWB+2OprqIcXX4V6CBgIGpfatym9f7Eh Sjy75OaW0s72gcEjiUVH+woWewArvOspiUs9VSlrgiTvkAw9gRRVrps56+A2C2Za dfEw3MCzqnPSEn8tuc7ORI/0YUIp2TIAs0o3Aov2COnNCgSzYQeEi10oWSZmDgwG 2sFlOxJwCkszmSRdlk4LapfdS/awKEehTLZuTUp9wN7+G85Y3691T+46P5VwFcMl yzkekcqPGddY1e5//CZ4K1KYfhmcAVZYWtzicWXObbCsRREZGgVM3/1AbzyK04aV fYtHCtid3UwiMQyj8olhSi3dVARD05gGLdf7fjs+T4WdILR8ciSwoaOR8vP5AiBq /J4GSC6rbREjdsmet4LbfIZMjMKxrLkmSNt2aXhTQ2JPymlsMcMyicwGsdsE5Bre bn9ywYe9EDxZl3PKCkM3QUZ7w+Y/AgOTgv+lDj35btQsf5KCTVFZITd7rq5L8CB5 yfEjac66V1FbPtPQsPLvUPAWkYO0TioZPRNC2mueuAnqzwWS9ZNpfN2G5xSSekCp tPAFUl3AWPLjGdzOr2ft1aXgW8OEbL/CNr47JFw8J0CLtN4f9PctiGnnFz/7fdyF keK5SlGeKYnBuWaeV1XGlD8B6yc7iMkaft2r+c0BMV6orKf9xN2HJsj97cyfwrHD RiODYFtwwHr2YfwXhKYK+1+sO8gw8BsGHst6qC4TP/bejcJM6/YkEHVLDfzpO8qU HefRFh3J9JhKT0elni6rwqHQPQPJ869eLp2cLRHsJ8HTiiDyeZxAlUsP27L5ugsV MQ0xH6yqfun3H2OzQzhMqiNI7gzJVoowdy6u9TeTxJNb3PtkpHUYvckujE9Qrqg8 FK+RwGdKMD2kvRQVXHTXailEPlz/Q+bedMdHsRxRKovSc4UTIxzjFz1A8P9U2wER INlOQYhVkAOQKf4rziPH3C9nhpmWmsJvWPj4CURIXY6xJPpp1jHh6NIOA9LRQVX0 DwqddwOxDQ5O5unlD5DsWzTHMIB+FyLO+jHypJ+NoOYUrQE/JxYY7dDuwqZQD7ga Leh7XECbZo/wmnk6mLUbGj7y1uenrw8X3ujSDLlQ3stqeg4isKet9y4wo1qxpKUj Extension name: vop1j504 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A22888B8FBEFBD28

http://decryptor.top/A22888B8FBEFBD28

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\RedoSwitch.crw => \??\c:\users\admin\pictures\RedoSwitch.crw.vop1j504	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	\??\c:\users\admin\pictures\ClearNew.tiff	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	\??\c:\users\admin\pictures\CompleteInitialize.tiff	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\CompleteInitialize.tiff => \??\c:\users\admin\pictures\CompleteInitialize.tiff.vop1j504	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\ClearNew.tiff => \??\c:\users\admin\pictures\ClearNew.tiff.vop1j504	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\InstallImport.tif => \??\c:\users\admin\pictures\InstallImport.tif.vop1j504	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\MeasureFormat.png => \??\c:\users\admin\pictures\MeasureFormat.png.vop1j504	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe

description	ioc	process
File opened (read-only)	\??\J:	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened (read-only)	\??\P:	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened (read-only)	\??\Q:	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened (read-only)	\??\V:	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened (read-only)	\??\X:	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened (read-only)	\??\D:	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened (read-only)	\??\A:	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened (read-only)	\??\E:	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened (read-only)	\??\M:	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened (read-only)	\??\R:	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened (read-only)	\??\U:	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened (read-only)	\??\W:	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened (read-only)	\??\Y:	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened (read-only)	\??\H:	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened (read-only)	\??\K:	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened (read-only)	\??\O:	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened (read-only)	\??\S:	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened (read-only)	\??\Z:	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened (read-only)	\??\B:	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened (read-only)	\??\F:	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened (read-only)	\??\G:	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened (read-only)	\??\I:	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened (read-only)	\??\L:	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened (read-only)	\??\N:	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened (read-only)	\??\T:	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\q8hd6w8u11.bmp"	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe

Drops file in Program Files directory 28 IoCs

Processes:

21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe

description	ioc	process
File created	\??\c:\program files (x86)\vop1j504_Wannadie.txt	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	\??\c:\program files\ConvertToReset.temp	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	\??\c:\program files\ResizeConvertTo.docx	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	\??\c:\program files\LimitSync.aif	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	\??\c:\program files\SyncCopy.dib	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	\??\c:\program files\AssertPush.jtx	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	\??\c:\program files\ConnectMount.MTS	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	\??\c:\program files\PushInstall.vsx	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	\??\c:\program files\PushInvoke.css	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	\??\c:\program files\SearchConvertFrom.dib	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	\??\c:\program files\UndoSubmit.raw	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	\??\c:\program files\ApproveRemove.mp4	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	\??\c:\program files\CheckpointConfirm.wdp	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	\??\c:\program files\GroupDismount.dxf	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	\??\c:\program files\ConvertFromStep.css	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	\??\c:\program files\FindDeny.wps	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	\??\c:\program files\ProtectInstall.emf	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	\??\c:\program files\RemoveMeasure.wmv	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	\??\c:\program files\WatchRename.mpg	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File created	\??\c:\program files\vop1j504_Wannadie.txt	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	\??\c:\program files\DisableUnblock.mht	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	\??\c:\program files\ResizePush.jpeg	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	\??\c:\program files\OptimizeRemove.xml	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	\??\c:\program files\ReadUnregister.wdp	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	\??\c:\program files\WaitUnlock.pps	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	\??\c:\program files\CheckpointConvertTo.ex_	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	\??\c:\program files\ConnectCheckpoint.tiff	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	\??\c:\program files\ExpandAssert.mpg	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe

Drops file in Windows directory 64 IoCs

Processes:

21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_fr-ca_c192b575045d79b3.manifest	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_zh-cn_862002b5f3ade598_comctl32.dll.mui_0da4e682	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.15063.0_en-us_bd795ffe59ae326d.manifest	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_74cb47b79cadf121_gpapi.dll.mui_ef0a9748	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.15063.0_none_f30c8be8f4be0687_kerbclientshared.dll_1fa7b356	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_c74cd5a2848ce468_firewallapi.dll.mui_43c7a05b	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_fi-fi_735d69029ba32696.manifest	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_hr-hr_e4d65b28b74d26e9.manifest	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_en-us_04d9ab74573a46e7_scdeviceenum.dll.mui_815e7662	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winsock-core.resources_31bf3856ad364e35_10.0.15063.0_en-us_5cfc9994b735544f.manifest	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tunnel_31bf3856ad364e35_10.0.15063.0_none_b47de247bd8313e2.manifest	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-win32kbase_31bf3856ad364e35_10.0.15063.0_none_bf8a1f019f8c15f7.manifest	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_10.0.15063.0_none_d3bbda919a7b39f1_mswsock.dll_e2ad0f2d	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_networking-mpssvc-drv.resources_31bf3856ad364e35_10.0.15063.0_de-de_c03bfcd404188014.manifest	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_ru-ru_ea7ae6abda1aed80_comctl32.dll.mui_0da4e682	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_bg-bg_69d60750c30ce9db_msimsg.dll.mui_72e8994f	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lsa_31bf3856ad364e35_10.0.15063.0_none_b75e63fb9599f19e.manifest	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.15063.0_none_2583321dfa2b45c4_ega40857.fon_5e965632	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lddmcore_31bf3856ad364e35_10.0.15063.0_none_bcdc71d81c5b7ee4_dxgkrnl.sys_8aad3dfb	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_bb2535b5b2501498_iprtrmgr.dll.mui_eb023b92	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.15063.0_en-us_dd56529205f2b805.manifest	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_10.0.15063.0_none_438be56a54322168_gpapi.dll_868dd225	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_10.0.15063.0_none_8653562b67de179c_vds_ps.dll_fed45dfd	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..opactivitymoderator_31bf3856ad364e35_10.0.15063.0_none_1afe75a2a51438fe_dam.sys_fdd762d9	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.15063.0_none_946aa6202fade3c5_8514sysr.fon_d6a097a2	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_pl-pl_6d8f1aff8f329e47_comctl32.dll.mui_0da4e682	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-cryptdll-dll_31bf3856ad364e35_10.0.15063.0_none_16b25f1fe6942a8d.manifest	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-errorreportingkernel_31bf3856ad364e35_10.0.15063.0_none_5fff332cae3dfdb7_werkernel.sys_bd06c194	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.15063.0_none_946aa6202fade3c5_j8514sys.fon_cfb116c0	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_a6a03551fa889d82_profsvc.dll.mui_32482e9e	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmpdui.resources_31bf3856ad364e35_10.0.15063.0_en-us_9504eb788afd0242.manifest	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_zh-tw_2b7fd85da86d863f_memtest.efi.mui_71e15c22	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_10.0.15063.0_de-de_53ab704c5bfd8301.manifest	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_bg-bg_6b4cd629a017904a.manifest	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_th-th_e3d2bbfcae0c8c16.manifest	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-gdi_31bf3856ad364e35_10.0.15063.0_none_c53b9c03c7b5d8af_lpk.dll_ebdc1de9	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_th-th_863d51a018a47471_msimsg.dll.mui_72e8994f	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..m-service.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_f5e67079153cbce7.manifest	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_10.0.15063.0_none_0ecb907c70c8a1bf.manifest	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.15063.0_none_58a3b1f2dbb10121.manifest	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-d..ient-core.resources_31bf3856ad364e35_10.0.15063.0_de-de_89bab4107f8e8dca_dnsapi.dll.mui_97465f8a	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..configurationengine_31bf3856ad364e35_10.0.15063.0_none_d48d673ef5ca25b4_scesrv.dll_07b1e224	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_f863dd8f33bd56fe_wintypes.dll.mui_36d5f25a	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.15063.0_de-de_3cea917b11996ccf_ncprov.dll.mui_40240de1	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_0c269ac8c338b765_netiougc.exe.mui_ad7a9e4d	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_ja-jp_5569e07ec9d20ae6.manifest	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_8bcc92f3c3de4217_mswsock.dll.mui_d7c2a730	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_de-de_2b863178b7843702.manifest	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.15063.0_none_2583321dfa2b45c4_app857.fon_e51c02f4	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_en-gb_50ad0e299c666e9f_msimsg.dll.mui_72e8994f	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-msasn1_31bf3856ad364e35_10.0.15063.0_none_d86def03de301c93_msasn1.dll_e56dbc57	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-msfs_31bf3856ad364e35_10.0.15063.0_none_b784197455bb2003.manifest	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_sk-sk_0ed5b4a952aaf957.manifest	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.15063.0_none_f5dc2ec982476ba8_iscsi.psd1_8e91985d	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.15063.0_none_2948eb6ce79ec07c_switch.inf_4b9b5a3f	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_en-us_0f2e55c68b9b08e2_certprop.dll.mui_602eaab4	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-efs-service.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_0079bb0e78995204_efssvc.dll.mui_03cc4e41	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gpuenergydriver_31bf3856ad364e35_10.0.15063.0_none_5f8d670fc6da540a.manifest	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.15063.0_en-us_6f2b6a7eee701612.manifest	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ui-xaml-inkcontrols_31bf3856ad364e35_10.0.15063.0_none_df697b059d7eb384.manifest	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.15063.0_de-de_3cea917b11996ccf.manifest	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-basedependencies_31bf3856ad364e35_10.0.15063.0_none_b7972f79a940b072_psapi.dll_e8b5b4d1	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-branding-engine_31bf3856ad364e35_10.0.15063.0_none_9e5f1652e5d5551c_winsku.dll_6e6c7799	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.15063.0_en-us_87ac933f1cd28fdb.manifest	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe

Modifies system certificate store 2 TTPs 21 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f95c0000000100000004000000000800001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8782C6C304353BCFD29692D2593E7D44D934FF11\Blob = 190000000100000010000000e6097c8f76ab46189964b5fe3cd5c1d80f000000010000001400000031d254c62674c351d6e6212f6e53175aade3175c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b0601050507030853000000010000002600000030243022060c6086480186fd64010102040130123010060a2b0601040182373c0101030200c0620000000100000020000000f1c1b50ae5a20dd8030ec9f6bc24823dd367b5255759b4e71b61fce9f7375d731400000001000000140000004232b616fa04fdfe5d4b7ac3fdf74c401d5a43af0b000000010000001400000054007200750073007400770061007600650000001d0000000100000010000000eb1e70cf1ead1152153e79ec90edaba40300000001000000140000008782c6c304353bcfd29692d2593e7d44d934ff11040000000100000010000000dc32c3a76d2557c768099dea2da9a2d12000000001000000bc030000308203b8308202a0a00302010202100cf08e5c0816a5ad427ff0eb271859d0300d06092a864886f70d01010505003048310b30090603550406130255533120301e060355040a1317536563757265547275737420436f72706f726174696f6e311730150603550403130e5365637572655472757374204341301e170d3036313130373139333131385a170d3239313233313139343035355a3048310b30090603550406130255533120301e060355040a1317536563757265547275737420436f72706f726174696f6e311730150603550403130e536563757265547275737420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aba481e595cdf5f6148ec24fcad4e27895589c41e10d9940241739913366e9bee183af625c89d1fc245b61b3e01111411c1d6ef0b8bbf8dea781baa648c69f1dbdbe8ea9413eb894ed291ad48ed2031d03ef6d0d671c57d706adcac8f5fe0eaf66254804960b5da3ba16c3084fd146f8145cf2c85e01996dfd88cc86a8c16f31426c523e68cbf31934dfbb8718568026c4d0dcc06fdfdea0c29116a064114b44bc1ef6e7fa63de66ac76a471a3ec3694687a77a4b1e70e2f817ae2b57286efa26b8bf00fdbd3593fba72bc44249ce373b3f7af572f42269da974ba0052f24bcd537c470b36850e66a90897163457c166f780e3ed7054c793e02e28155987babb0203010001a3819d30819a301306092b060104018237140204061e0400430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604144232b616fa04fdfe5d4b7ac3fdf74c401d5a43af30340603551d1f042d302b3029a027a0258623687474703a2f2f63726c2e73656375726574727573742e636f6d2f535443412e63726c301006092b06010401823715010403020100300d06092a864886f70d0101050500038201010030ed4f4ae1583a52725bb5a6a36518a6bb513b77e99dead39f5ce045657b0dca5be27050b2940514ae49c78d41071273947e0c2321fdbc107f60105a72f5980eacecb97fdd7a6f5dd31cf4ff88056942a90571c8b7ac26e82eb48c6aff71dcb8b1df99bc7c21542be458a2bb5729ae9ea9a319260f992e08b0effd69cf991a098de3a79f2bc936347b24b3784c9517a406261eb66452365f6067d99cc505740be76723d208fc88e9ae8b7fe130f4377efdc632da2d9e4430306cee07ded234fcd2ff40f64bf466460654a6f2320a6326306b9bd1dc8b47bae1b9d562d0a2a0f467057829631a6f04d6f8c64ca39ab137b48de5284b1d9e2cc2b868bced02ee31	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8782C6C304353BCFD29692D2593E7D44D934FF11\Blob = 5c000000010000000400000000080000040000000100000010000000dc32c3a76d2557c768099dea2da9a2d10300000001000000140000008782c6c304353bcfd29692d2593e7d44d934ff111d0000000100000010000000eb1e70cf1ead1152153e79ec90edaba40b000000010000001400000054007200750073007400770061007600650000001400000001000000140000004232b616fa04fdfe5d4b7ac3fdf74c401d5a43af620000000100000020000000f1c1b50ae5a20dd8030ec9f6bc24823dd367b5255759b4e71b61fce9f7375d7353000000010000002600000030243022060c6086480186fd64010102040130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080f000000010000001400000031d254c62674c351d6e6212f6e53175aade3175c190000000100000010000000e6097c8f76ab46189964b5fe3cd5c1d82000000001000000bc030000308203b8308202a0a00302010202100cf08e5c0816a5ad427ff0eb271859d0300d06092a864886f70d01010505003048310b30090603550406130255533120301e060355040a1317536563757265547275737420436f72706f726174696f6e311730150603550403130e5365637572655472757374204341301e170d3036313130373139333131385a170d3239313233313139343035355a3048310b30090603550406130255533120301e060355040a1317536563757265547275737420436f72706f726174696f6e311730150603550403130e536563757265547275737420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aba481e595cdf5f6148ec24fcad4e27895589c41e10d9940241739913366e9bee183af625c89d1fc245b61b3e01111411c1d6ef0b8bbf8dea781baa648c69f1dbdbe8ea9413eb894ed291ad48ed2031d03ef6d0d671c57d706adcac8f5fe0eaf66254804960b5da3ba16c3084fd146f8145cf2c85e01996dfd88cc86a8c16f31426c523e68cbf31934dfbb8718568026c4d0dcc06fdfdea0c29116a064114b44bc1ef6e7fa63de66ac76a471a3ec3694687a77a4b1e70e2f817ae2b57286efa26b8bf00fdbd3593fba72bc44249ce373b3f7af572f42269da974ba0052f24bcd537c470b36850e66a90897163457c166f780e3ed7054c793e02e28155987babb0203010001a3819d30819a301306092b060104018237140204061e0400430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604144232b616fa04fdfe5d4b7ac3fdf74c401d5a43af30340603551d1f042d302b3029a027a0258623687474703a2f2f63726c2e73656375726574727573742e636f6d2f535443412e63726c301006092b06010401823715010403020100300d06092a864886f70d0101050500038201010030ed4f4ae1583a52725bb5a6a36518a6bb513b77e99dead39f5ce045657b0dca5be27050b2940514ae49c78d41071273947e0c2321fdbc107f60105a72f5980eacecb97fdd7a6f5dd31cf4ff88056942a90571c8b7ac26e82eb48c6aff71dcb8b1df99bc7c21542be458a2bb5729ae9ea9a319260f992e08b0effd69cf991a098de3a79f2bc936347b24b3784c9517a406261eb66452365f6067d99cc505740be76723d208fc88e9ae8b7fe130f4377efdc632da2d9e4430306cee07ded234fcd2ff40f64bf466460654a6f2320a6326306b9bd1dc8b47bae1b9d562d0a2a0f467057829631a6f04d6f8c64ca39ab137b48de5284b1d9e2cc2b868bced02ee31	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8782C6C304353BCFD29692D2593E7D44D934FF11\Blob = 040000000100000010000000dc32c3a76d2557c768099dea2da9a2d10300000001000000140000008782c6c304353bcfd29692d2593e7d44d934ff111d0000000100000010000000eb1e70cf1ead1152153e79ec90edaba40b000000010000001400000054007200750073007400770061007600650000001400000001000000140000004232b616fa04fdfe5d4b7ac3fdf74c401d5a43af620000000100000020000000f1c1b50ae5a20dd8030ec9f6bc24823dd367b5255759b4e71b61fce9f7375d7353000000010000002600000030243022060c6086480186fd64010102040130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080f000000010000001400000031d254c62674c351d6e6212f6e53175aade3175c2000000001000000bc030000308203b8308202a0a00302010202100cf08e5c0816a5ad427ff0eb271859d0300d06092a864886f70d01010505003048310b30090603550406130255533120301e060355040a1317536563757265547275737420436f72706f726174696f6e311730150603550403130e5365637572655472757374204341301e170d3036313130373139333131385a170d3239313233313139343035355a3048310b30090603550406130255533120301e060355040a1317536563757265547275737420436f72706f726174696f6e311730150603550403130e536563757265547275737420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aba481e595cdf5f6148ec24fcad4e27895589c41e10d9940241739913366e9bee183af625c89d1fc245b61b3e01111411c1d6ef0b8bbf8dea781baa648c69f1dbdbe8ea9413eb894ed291ad48ed2031d03ef6d0d671c57d706adcac8f5fe0eaf66254804960b5da3ba16c3084fd146f8145cf2c85e01996dfd88cc86a8c16f31426c523e68cbf31934dfbb8718568026c4d0dcc06fdfdea0c29116a064114b44bc1ef6e7fa63de66ac76a471a3ec3694687a77a4b1e70e2f817ae2b57286efa26b8bf00fdbd3593fba72bc44249ce373b3f7af572f42269da974ba0052f24bcd537c470b36850e66a90897163457c166f780e3ed7054c793e02e28155987babb0203010001a3819d30819a301306092b060104018237140204061e0400430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604144232b616fa04fdfe5d4b7ac3fdf74c401d5a43af30340603551d1f042d302b3029a027a0258623687474703a2f2f63726c2e73656375726574727573742e636f6d2f535443412e63726c301006092b06010401823715010403020100300d06092a864886f70d0101050500038201010030ed4f4ae1583a52725bb5a6a36518a6bb513b77e99dead39f5ce045657b0dca5be27050b2940514ae49c78d41071273947e0c2321fdbc107f60105a72f5980eacecb97fdd7a6f5dd31cf4ff88056942a90571c8b7ac26e82eb48c6aff71dcb8b1df99bc7c21542be458a2bb5729ae9ea9a319260f992e08b0effd69cf991a098de3a79f2bc936347b24b3784c9517a406261eb66452365f6067d99cc505740be76723d208fc88e9ae8b7fe130f4377efdc632da2d9e4430306cee07ded234fcd2ff40f64bf466460654a6f2320a6326306b9bd1dc8b47bae1b9d562d0a2a0f467057829631a6f04d6f8c64ca39ab137b48de5284b1d9e2cc2b868bced02ee31	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70103000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f03000000010000001400000002faf3e291435468607857694df5e45b688518687e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB\Blob = 03000000010000001400000033e4e80807204c2b6182a3a14b591acd25b5f0db1400000001000000140000008d8c5ec454ad8ae177e99bf99b05e1b8018d61e1040000000100000010000000adab5c4df031fb9299f71ada7e18f6130f00000001000000300000008b612b2190a95b28b866b9be5d0b95f368c17534ab1da61a42dfb32766f9ae2908fe6bfd1669be140eddaf0d33e95235190000000100000010000000fc741b3b78cfb31e075744fe5d0eeb965c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf20000000010000001706000030820613308203fba00302010202107d5b5126b476ba11db74160bbc530da7300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3138313130323030303030305a170d3330313233313233353935395a30818f310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313730350603550403132e5365637469676f2052534120446f6d61696e2056616c69646174696f6e205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100d67333d6d73c20d000d21745b8d63e07a23fc741ee3230c9b06cfdf49fcb12980f2d3f8d4d010c820f177f622ee9b84879fb16834eadd7322593b707bfb9503fa94cc3402ae939ffd981ca1f163241da8026b9237a87201ee3ff209a3c95446f8775069040b4329316091008233ed2dd870f6f5d51146a0a69c54f017269cfd3934c6d04a0a31b827eb19ab9edc59ec537789f9a0834fb562e58c4090e06645bbc37dcf19f2868a856b092a35c9fbb8898081b241dab3085aeafb02e9e7a9dc1c0421ce202f0eae04ad2ef900eb4c14016f06f85424a64f7a430a0febf2ea3275a8e8b58b8adc319178463ed6f56fd83cb6034c474bee69ddbe1e4e5ca0c5f150203010001a382016e3082016a301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e041604148d8c5ec454ad8ae177e99bf99b05e1b8018d61e1300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038202010032bf61bd0e48c34fc7ba474df89c781901dc131d806ffcc370b4529a31339a5752fb319e6ba4ef54aa898d401768f811107cd2cab1f15586c7eeb3369186f63951bf46bf0fa0bab4f77e49c42a36179ee468397aaf944e566fb27b3bbf0a86bdcdc5771c03b838b1a21f5f7edb8adc4648b6680acfb2b5b4e234e467a93866095ed2b8fc9d283a174027c2724e29fd213c7ccf13fb962cc53144fd13edd59ba96968777ceee1ffa4f93638085339a284349c19f3be0eacd52437eb23a878d0d3e7ef924764623922efc6f711be2285c6664424268e10328dc893ae079e833e2fd9f9f5468e63bec1e6b4dca6cd21a8860a95d92e85261afdfcb1b657426d95d133f6391406824138f58f58dc805ba4d57d9578fda79bfffdc5a869ab26e7a7a405875ba9b7b8a3200b97a94585ddb38be589378e290dfc0617f638400e42e41206fb7bf3c6116862dfe398f413d8154f8bb169d91060bc642aea31b7e4b5a33a149b26e30b7bfd028eb699c138975936f6a874a286b65eebc664eacfa0a3f96e9eba2d11b6869808582dc9ac2564f25e75b438c1ae7f5a4683ea51cab6f19911356ba56a7bc600b0e7f8be64b2adc8c2f1ace351eaa493e079c8e18140c90a5be1123cc1602ae397c08942ca94cf46981269bb98d0c2d30d724b476ee593c43228638743e4b0323e0ad34bbf239b1429412b9a041f932df1c739483cad5a127f	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee419000000010000001000000063664b080559a094d10f0a3c5f4f629020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 5c00000001000000040000000008000019000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877604000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\SystemCertificates\CA\Certificates\247106A405B288A46E70A0262717162D0903E734\Blob = 030000000100000014000000247106a405b288a46e70a0262717162d0903e734140000000100000014000000b390a7d8c9af4ecd613c9f7cad5d7f41fd6930ea0400000001000000100000001a9a69a81f6da92d87f7694e16d8b8790f00000001000000300000009e9609372f45b5101548e8af9a20e0dbf5932dea9b9af86759c2029bc3b53e306e6491f6b15bf00b1e2dee3bb8d43d2219000000010000001000000043e6fa09a3b9d0de6fbe3aacd184c8fd5c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000ed050000308205e9308203d1a003020102021005e4dc3b9438ab3b8597cba6a19850e3300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3134303931323030303030305a170d3234303931313233353935395a305f310b3009060355040613024652310e300c060355040813055061726973310e300c060355040713055061726973310e300c060355040a130547616e64693120301e0603550403131747616e6469205374616e646172642053534c204341203230820122300d06092a864886f70d01010105000382010f003082010a028201010094042da6799574ffd5003cf5aed894b1297cc08f0b0b89b98283976e3728f5a21acfd2920b9ba8d387947384109fdc35cbc22d92ac21b9cb3bfc40c1c18321f0bff8f69cfa9c8210c0d08e4ee50d4cb0915c90b4a4405116dae484122d055ca11f17192451aa7aeae1071b868d0172f2e7d48323399ee0e14c1f6b22a3b41066b0ed8296d76e6ab4f23fb542fcdd8ab5abba2d1d3a759b31dc3e9dac5bd3410d6cb01bf53af579ea21a2f8f433524b242d1ea499b16d48bcb812fe72707cf7fb0275f48dded6dac0a0321a52df386b2e45383f3f049600fda1f4a2bbd517d6277c1b5859955e8a12fd9cab813e52284851856bf391b2863f29b56e0362eed6050203010001a382017530820171301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e04160414b390a7d8c9af4ecd613c9f7cad5d7f41fd6930ea300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b0601050507030230220603551d20041b3019300d060b2b06010401b2310102021a3008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c050003820201005867fd72b26ad77c6196197ed94346d1267dc853fa66b06b2da7d3aa56f73a88d03b72c950fdf759b2aa68f58c7303bb956517ce2f1cdd9813a291c9eea1406e3c98d65cf3b2223c2dee1ba4e1de202416f28c1173913af6face240287ca93ecb4b6c81617c572fc2740f613fe93a69d51ef3c2bd877579b8c653a352536b7b58a636f072793b1608d80db96d47a8f2dab1c88c96e7ed6651faf5dca163f2846dca035e5f9e9e5d596880c4fc6b77767488427b61fb068dbacbf77b090b8a2c91c325d02ba2543814247bbd8e18f0c0c465fee46336b031482d37ecd8faf90d68e247d4042b46a6a17c69597e1f238cda7edb4274093df72a9b8c666633738642230a23bf1b9c87bc8fb293aab1a72d206124ef682d4236f3ec393e5d8b6c0dedc2316d61330b7a09a0e2c5506007001cfea391d80db88f7a520b85bfd3126698f2d0a61833a47a613542c1ee3ed44cabc6a1f280e51d9de0e9f75cd0e0395caf9c5a92a2dfe41a4a147ae0dc2f93966334a5be18428596c7d941776e44582ad7020fdd26f63a8d7faa033fa37cbf7b2659eda506f3fe4a7f38e5d58329770232ee7fdc4159b9c278f32ed17ad58813129111a9bd4fc6c9528c74e0507a6fd1dbc19e2e8b7b9118a2d701252858d8c334a0ffc9992e06370daa594476307e758c7315f053d3655fe83b2e8a6add7e9e6027488745cda34db90d26d510a23d623	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\SystemCertificates\CA\Certificates\247106A405B288A46E70A0262717162D0903E734	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70103000000010000001400000002faf3e291435468607857694df5e45b688518680400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c0000000100000004000000000800000400000001000000100000001d3554048578b03f42424dbf20730a3f03000000010000001400000002faf3e291435468607857694df5e45b688518687e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8782C6C304353BCFD29692D2593E7D44D934FF11	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8782C6C304353BCFD29692D2593E7D44D934FF11\Blob = 0f000000010000001400000031d254c62674c351d6e6212f6e53175aade3175c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b0601050507030853000000010000002600000030243022060c6086480186fd64010102040130123010060a2b0601040182373c0101030200c0620000000100000020000000f1c1b50ae5a20dd8030ec9f6bc24823dd367b5255759b4e71b61fce9f7375d731400000001000000140000004232b616fa04fdfe5d4b7ac3fdf74c401d5a43af0b000000010000001400000054007200750073007400770061007600650000001d0000000100000010000000eb1e70cf1ead1152153e79ec90edaba40300000001000000140000008782c6c304353bcfd29692d2593e7d44d934ff112000000001000000bc030000308203b8308202a0a00302010202100cf08e5c0816a5ad427ff0eb271859d0300d06092a864886f70d01010505003048310b30090603550406130255533120301e060355040a1317536563757265547275737420436f72706f726174696f6e311730150603550403130e5365637572655472757374204341301e170d3036313130373139333131385a170d3239313233313139343035355a3048310b30090603550406130255533120301e060355040a1317536563757265547275737420436f72706f726174696f6e311730150603550403130e536563757265547275737420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aba481e595cdf5f6148ec24fcad4e27895589c41e10d9940241739913366e9bee183af625c89d1fc245b61b3e01111411c1d6ef0b8bbf8dea781baa648c69f1dbdbe8ea9413eb894ed291ad48ed2031d03ef6d0d671c57d706adcac8f5fe0eaf66254804960b5da3ba16c3084fd146f8145cf2c85e01996dfd88cc86a8c16f31426c523e68cbf31934dfbb8718568026c4d0dcc06fdfdea0c29116a064114b44bc1ef6e7fa63de66ac76a471a3ec3694687a77a4b1e70e2f817ae2b57286efa26b8bf00fdbd3593fba72bc44249ce373b3f7af572f42269da974ba0052f24bcd537c470b36850e66a90897163457c166f780e3ed7054c793e02e28155987babb0203010001a3819d30819a301306092b060104018237140204061e0400430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604144232b616fa04fdfe5d4b7ac3fdf74c401d5a43af30340603551d1f042d302b3029a027a0258623687474703a2f2f63726c2e73656375726574727573742e636f6d2f535443412e63726c301006092b06010401823715010403020100300d06092a864886f70d0101050500038201010030ed4f4ae1583a52725bb5a6a36518a6bb513b77e99dead39f5ce045657b0dca5be27050b2940514ae49c78d41071273947e0c2321fdbc107f60105a72f5980eacecb97fdd7a6f5dd31cf4ff88056942a90571c8b7ac26e82eb48c6aff71dcb8b1df99bc7c21542be458a2bb5729ae9ea9a319260f992e08b0effd69cf991a098de3a79f2bc936347b24b3784c9517a406261eb66452365f6067d99cc505740be76723d208fc88e9ae8b7fe130f4377efdc632da2d9e4430306cee07ded234fcd2ff40f64bf466460654a6f2320a6326306b9bd1dc8b47bae1b9d562d0a2a0f467057829631a6f04d6f8c64ca39ab137b48de5284b1d9e2cc2b868bced02ee31	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exepowershell.exe

pid	process
4472	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
4472	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
4520	powershell.exe
4520	powershell.exe
4520	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	4520	powershell.exe
Token: SeBackupPrivilege	4760	vssvc.exe
Token: SeRestorePrivilege	4760	vssvc.exe
Token: SeAuditPrivilege	4760	vssvc.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe

description	pid	process	target process
PID 4472 wrote to memory of 4520	4472	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe	powershell.exe
PID 4472 wrote to memory of 4520	4472	21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:4536

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4520-115-0x0000000000000000-mapping.dmp

Download
memory/4520-120-0x000002AF47770000-0x000002AF47771000-memory.dmp

Filesize
4KB

Download
memory/4520-123-0x000002AF47920000-0x000002AF47921000-memory.dmp

Filesize
4KB

Download
memory/4520-125-0x000002AF47633000-0x000002AF47635000-memory.dmp

Filesize
8KB

Download
memory/4520-124-0x000002AF47630000-0x000002AF47632000-memory.dmp

Filesize
8KB

Download
memory/4520-135-0x000002AF47636000-0x000002AF47638000-memory.dmp

Filesize
8KB

Download