gandcrab | d291fc899f31591a3acdd91c7f0f5199384e2b587234157a0c0ec9d05e93cefd

Resubmissions

01-12-2021 09:50

211201-lvc3fsbccn 10

27-10-2021 09:08

211027-k38zesbch3 10

Analysis

max time kernel
1782s
max time network
1805s
platform
windows11_x64
resource
win11
submitted
01-12-2021 09:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
Size

168KB
MD5

700a4f7ed40dd9ac29891c2ec3d4bef7
SHA1

1546e3bbe9eb3e6b185097226bb758d98a207429
SHA256

872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f
SHA512

1b615297f445eb4c3909e46191834450191b6e9716a83c380a02db6566dd96431f6e2271c01508d3f271af0b4fbfff31b485e1fc6bf952a4b2177aa41fb65c0a

Score

10^/10

gandcrab backdoor ransomware suricata

Malware Config

Extracted

Path

C:\FLTGR-DECRYPT.txt

Ransom Note

---= GANDCRAB V5.0.1 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .FLTGR The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/fe81d992670adcfa | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAD248eqrxizMAPDhYBwvd2wY2rY9Nl7hrh//YCsQFAJFW5givfPjSSkEzByXgWHpUlXAhUgAs/1VQnFOPj+4w5uq/XnI72OOeB8pc/m2Z06SpztD9pgUYuROr4wUQIOya/0ZE68Nq7BSBFGul126cQWTDiKR4sLkUMDOmA0ADAPsbxZw8rCwWmBwqKTeFH8RfViyQJiL/JjXLstgNuILeie99w2aOwKrVRgxKPNlHGkgb2AMweO06wKBZRAUxsGu4eOsVibitDzEMncJDUyNpG0sJa4r8Bx0POhzRUws1h7W/cqfS/n7PuJ7lR+O3rmm/0MToy8I6Yd6nsujORDHuiPuOd89uDpIHeIgYcHMVmzziD7PzPoUGmlvUpoKrJBRcKAtuyYVpzUhBRswu6vYtzyj6D/Y6DTHxF30ZNYzNaDDGP1v/o3Fq1gQCPQvj2m8MFspjshXvhysvWGwM9xdc197zogvfOavBouUXmKL72CM9oH1wJkOhoDQxZOhbzSiSHZJhd5KPpEQ9gyZIO85wl/Kr1/wk6ZYIvGMFCzhFhds7gL0VRG4PWbVZcVWI/WTvEvXHEFBRVd5UjIIScvUYASv3RkebkoUpD2I7IoXhjUevvx6AUztxYb60eWPVN/CKr2IBCqTsVrLAy0Qe8IOSzn2IDgyJGNo5ydFbpuN190m5ciPs67/88BmMoyBrgE3kc7DSsTDgGy/VZlPOLPnB7cQke3u0BE6nqiJMqE6db1X5hXMJzcqyditbnt/FHX4FXmgyw4d08KeNyoZX4z6o7LNgYh71RUmyD+sGviTHO26qj5yCGjApByjojZUIEUq1IQoveqA5ahKHVhWmBBdxjGaUXcx5WRBvmuVgGC6ARaawUdF/ATKXINVwyq9x7U7RkJShIOtL21jUcpsTAcFxSyuasOEcdwKHpCVdlMZCNRMQNCbHjLj0IPhZwK6824QmGwgTfNX22quCzmNHPLDTW2gspgZX8GPWTonhbT34yuIeifiEnnJaM2T6jQXwtHVIjgq2syATOz6KbBXGMEONN2UCc3v/cZSvBDwOLdTnVu9rtzS8Ib4de2netth7yYbyJBG+OvzGZChLNMCXOiHlGsbRWKV/s69z9TP4sNgzJQapajETFlFafgh6NvMJN9IOhP63u7Fz0tKEBmyYpXe18GojM9bFcCB5AJQYMEczBfJGo4fGjBzAkvjWLrjK+ykhTpj+NJMxnYOaTpvD1mi85yjUSJJ5nEi1M8315egWILeLFAs4bH+noQuC4vYy3dI38fDg0jRqKSGpMd6DeSf3YlejbsxSrMrgZmKWuIIapSGMUEhz5bUaE4UrrK0myVeP29GdV1Z/ilGJx5ezayPcBb4/A5kgmMFk5Wi4NS+HZCmaRi8eLx+N+gi5W6hjACtACIzWzjrPiy8u3Se2ReCmhduIL1U4oNfbfU7SDKpw/wJlxG3SoNXIXhQRCs/rFy1K8DCvLdNCqtTXjGtNhvHn3PWL+u5fciCFtWhqu+uhPGgQvb/ltgX8oMdYQ9XXprTP/+Bw7/wZkZ84121l2vN0ZOp8i6nmy5Mix1CF49qY2hELJGiLSYqe4ONguzOd4FE02Rw0wwdOtg9B/8NqMFp3Kt0LvoDtnbzud34qzj2RHNoU4Oz4IGNy/9EZD2D3pDpEiJUqYh4r+Jr1YKwhV4lFwleStAEEOF3XrBwvAh3JeyzwWlhlluU4toGcXRFrMPKjBi0CLprioFd9LFdtWJexEqeNnH5Ox9ws8SdsRyVTOYdK2C9EorTbxVSHISSuZ21hSsJ7LV8otur/mlYY6uiGBGCPpQ2bSGjRiJhvZ7FBZ26d+sWEBOHLcYRp8rcERR4JMcQHprB4d0TB5O+0Br8lofcAFg+LhvriNJ+ktFUxy/AigmZjbWTkkNXZDRTzAWtvkcm2Ohox46DCjPnu3Kxcpx/hRgJgu1YVWXPjuF20Ci353YpnEo0rR3U/MHpHT8CH2ceeKLG2m5iBv7VlkKcnlj8uzjM53BNokKDWza11g/+1Ntitjxz59I5xQ4lhSdVdXQl2rl83HPApxhyuUxdiK/Do0l/cYOy6+JXLY1bMdUjbpECdE5PJ/SSSN8G42cEzZGM/aaT2uwfw/kwokwyKVdYPihNhZRhceHUC9EPJCCzDtjyl7jIRPkbhNsK82yhyE5HF7CQSRMrXvt78aj+yObYV0K4st0pnQcrP31IuXC+Ae7RtvvehDHjL1qshHI+fVUzi3I= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZOTp1RqnYK7nFWtbffTGeHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXBtuLx/242EOtyGtJYZVqBBiHtqhHWEYgb9SdB4o+4aqb3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoAxPMnKg+De5fALafiWE+g6xrIQ3vxBFKwg7yZizpCxFE3vPLM+ap1wcZNnQURl2KajmI1gXgeX8EmUHfjiyxQQxnz7JBlpawv3IDVYjpfzfwfAIcOsA2PzRNwX8PQy7ChaZPEubtMkioBZdMbJHjHssOL7+KRYAP+4kgV67utbOZzJr9ZHY= ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/fe81d992670adcfa

Signatures

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops startup file 2 IoCs

Processes:

872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\FLTGR-DECRYPT.txt	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\670adb1a670adcf51c.lock	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

description	ioc	process
File opened (read-only)	\??\A:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\E:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\F:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\H:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\J:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\M:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\Q:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\R:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\T:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\W:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\G:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\I:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\N:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\B:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\L:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\O:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\P:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\U:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\X:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\K:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\S:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\V:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\Y:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\Z:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp"	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

Drops file in Program Files directory 4 IoCs

Processes:

872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

description	ioc	process
File created	C:\Program Files\FLTGR-DECRYPT.txt	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File created	C:\Program Files\670adb1a670adcf51c.lock	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File created	C:\Program Files (x86)\FLTGR-DECRYPT.txt	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File created	C:\Program Files (x86)\670adb1a670adcf51c.lock	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordCharacterGroups = "2"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02uinvflsbxivzcq	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\DeviceLicenseUpdateFailureCount = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02lrqqzjiojuqmiq\DeviceId = "<Data LastUpdatedTime=\"1626948653\" DAInvalidationTime=\"1638352906\"><User username=\"02LRQQZJIOJUQMIQ\"><HardwareInfo BoundTime=\"1626948652\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02pqbxjqyidjvszg	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018000731EFE8C3"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-257790753-2419383948-818201544-1000\02qqqcvzxuoqieqh\DeviceId = "<Data><User username=\"02QQQCVZXUOQIEQH\"/></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordLength = "8"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02pqbxjqyidjvszg\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-257790753-2419383948-818201544-1000\02uinvflsbxivzcq\Reason = "2147780641"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-257790753-2419383948-818201544-1000\02uinvflsbxivzcq\AppIdList	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02uinvflsbxivzcq\Response Saturday, September 04, 2021 08:15:44 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAUsByYpnOTU+SW6+Ag6bZRwAAAAACAAAAAAAQZgAAAAEAACAAAADGxzgw8HwIkQQBV5F6jfaGWFSx35T7g/LKnogGXIjE+wAAAAAOgAAAAAIAACAAAAD1ArIfxHy9yjtBjnNiERlbBY8W93NGINbhysYIZ1WD18AHAAClCCqByKkVM3YqDSzPIs6LIEtyJiO/vO7vEd/ETSCKDNuGqOmWvsnNQ7HmHFUsyw110QvFdnsfi6PTzmjSN0lxpbV9CVSj5fRnhAxfb97xVzE7cnJGZgKQEUEhXDYIkglYDstwS9fN3q4oPUGaRKPtKTyicrr0JoKmxQGukTpZ4bGOFa7xo/Mi/r3HSi7iFPzo+wVrDvvZQbvfnZ1VTtDt6bAmTEigOJNloZZkq0soj9DfouA9THX7Cm/ovCU/UVbg9gosienbO0iptarDPPuLifpxtirwVNsOdPe7k9qzEA1XobF/5mwv0bvK1xbdyzTUvlLLPkigv7Ne8dXPvD946/u+xTZjQQ+vM3HH89t4EYgio6tCRGuzauKkp/eaIf0BhsSiARmlT6CKPgePdn58o9KB3SCPDUDdheMdBY9jbPyhtHd1ANfLvblwr3dBL9BDzVw0w8NWet18O1dizz7vnyTSNb/w37F3zMecpSOeVVNOvlMvQ9w9jr+Va+g5YDkMoTLfqIswzDzT4bz+51wLEYBJqNlsELO4z4zc9x9+CVSaKXlZz1uMuqUdVdME3+XQvckgZFVCmsZg2PsO2UE4aXfmPkj15i997BZuw9ruLfIK0RbfuIyG+SUTqhddKLnR7wMjdpVvJeWNyUIh+n8ns/SuvsT/R3GESl3WS8P8drN1QucDbFdf5jaIJ5m2Mtjw/6p0ZCjZRr+rkGIlyTqpcFyKoXfWwRXvP4oSjZf4kX1WeOpcYSeN3+GszKKkp0FFnMWYqGYi1+UdfnNOFTlL24j0T1eDapVcMpfL3mFoQwqRh6m3NDgk1d139IpT4kCDLg4BeAjOCZ1s6PRZilnoLhdEmqDKYAXr5Ry6+rZxEVLvMHlafXVRZcZzYnJitVa9IsAgHm8gOCYmfpROgyNjPIq8cDkuyoP2JN8W6ZDHLizXYKc64PbyflrA7YsG7IIabKHKGABn1OKpjFYIeozzd4e6kEgrt48QUur7t+w1geqB0+Z1cEpI4AZRlpnF18NVbyuzKJK7WtfbnlUevkBPHvrOOZz/il8JyiYd2GOLsDcCO449BxnTLwZr253K+rwQf8e58eJRriPKgS6H8gZi7snvPwBjAsx9tu/IuKQjJJBN5rky5zYCeIKb76Jcl2T39mVZIRWwoMMz6NE94BxUfAM2zWG1huya4Sv3/0mbFfKXnjRQ8I7aZLOG1hKEIc+SHsShpiHYAdb4VJ+G2ZCaJ0Tif+wbLH00VjNgAP/ePQLNT0Xqkmmt8hQ7hYsWi1UZhFj7jmUnKWUUfEEO797bq77hF+9FqNXBHVMT++IHjsYqF1sqya2d8KXtYQOnPqVawFSHBUyUdbl0XtJpAj2iFUc81FH6QrLj2+Bwd+AwkajWQS/8zyKoiT/TfdqpuKZJQfUk9T20GGKdNSaII8kOlyuZNIDFf+tY+E1jaLL3LCqhRnZhSZQP340ntbCB7Ougj0Z6xGqbs/8vYytzaaRKCLZRtfvL6NL8M1O79+uvNGfzUmaH+pf5qV4bLTslySB2DDi7qmAOK7UlVOWTXKMEVOlMQ7VImyVeYDZyIJ9MVVeAdfKVDBXPhDmXmfFpnM2FRvx3WPgltYL7KaGAW9HfRpS9GN/JQwHBiuelzQeVpLM2UHPQfnfG04/SpeD/pbVqlbQpLLJuc/dYA3fwj/LGHOUXOUJdNy7b/R9yMnS7TnH/vjNoYzaTHjwRPgQe6o75aFk52WlpE290ETo18YWl1AYhbh2ZR3QuGpbIRGr/P0xv80m0og+2sBXwgvtAe9QdmksUWu60YRe8T0vujxHpc3OJgmYmIcogCF+i4T1EYLWFVSAbfKDBJD7mFzLsfy2wpEb91LBVUShEjQRXo8mzZ909C/e104snqR/gxJqv+WT8y2lOpqm1hY814ZEWs8D9cPYRo5f1R5Dstm4jiZe84vFZENe0Qv9IHblGcTo4IS/UDcGlYEHbXmQU0tGrXfhjh93P5SQ981zpm/OzWaZnNA+YzaJqkXLiSb2dbBMwGeioVLiU2uvZbFhrm61lnUrTp8fkIqge6ZsvLmssUj1IQie77w/RoKqvHM/tZbY/uoz0NfTs2TiakRPV96/haJ4vJjAbowbwzVKC0kmRk/Z5ZrM6ZC8gKPvWh8LQtfxW5X5bAfORRMg1xgKtIql9V3r6mMknK9ISeCr5K25SEEf1DDKUi+vIknFbBEfdqZ/vnx29Wm1KMZczcfkzmeYiJ93SPkO1R4FQ/7N3JNy2SV05VgtXgbriq7XvQxwOWQVmgc+i846UTi8m8AylO8yHC7zYF+5gG3Kvl/Ml3a1qpbL7WxmSBs9PfrncNfbHKpIzoNlpx9Sy8d/n7QO67oY5QvFxo45/w5RpFLR51C5dKEww7fuogu6wPgSZ+Nb95Q40g+PWm/+axqQgYJlyPQjeMuorBYtgO3NrgwNPiDJ2s6AJ3DoUnM596EH8rEYrpVz7n0y123Bx9OBore0GVjIOJjY6ciKlWyJyMBpFrDzXTiEdX8ofhA9Gtxtxz0Xn10IaXK/b8ylvSFrVCKWx8qqaF8dx3TATBbGqKtp0/Wg77AxdbfiLjkJ6Bcs8nBppe/89OPRfNgtj5Tr1d+7wOcpxNBiYG5Nuh4u2TGeFQ7IHbWFwQAAAACb8BlW/dexoBKxUttgkna1zhkB+0Qse+jpe/qcALIUyvi/giWWf6XyrjsU1v4Xboiv/MZ/WrTXxdMaHR6yPJe8="	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02uinvflsbxivzcq\Request Saturday, September 04, 2021 08:15:44 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAUsByYpnOTU+SW6+Ag6bZRwAAAAACAAAAAAAQZgAAAAEAACAAAABz2eFTWnptvjRsSjDmXcRHZfKUpheDzP1XNl+0OmEF/gAAAAAOgAAAAAIAACAAAADcp/7BC4inU1F+CU5NVXjcyT/FFvl7o2RH/GrpQevJ/ZASAACVxLiQk6Y9CNKKhh4/8D4Qkl4nQMzZodWNx6oohi2PuHd+8y0Fej0EVsE5+8pjxBmCs3RQQbpjf+aUDTzN4cZzeppS79KM/YA+47AcxrOYO0L8Mlihwct9BfqZtfKO/2uH5C0GBFyIGjBA9eoiA6U1UReZfnrVyAAZuDcg0eHjsZQmzZYseNOnGhhhk7WOuzLeqNqEwabqkmbXBd5/Q9Ka/W1s78zePD+8Fw/JQuPvLBJbZTzB+qu3Gdlz/cZtiF3ZGiw3vXLdo7mQnoSBm4gYswMRqAnJvOJ78Sfo2oJxVeALsdOBCC90cNXvJX9VdRSMt5s1IvfvjrxvHgKmpYuFcTf/K6BsR6PmiHAdOSnyLu+jc4LPCz4IZKhJK6U1f4XvazgC3jtAKg5VomFvnTZ4NVwgbGmMm2YF5QEFgZN04k7ZJOQTF4BrW028/AgsCcMFS9L2e5v8bpSEmy6NtzZsUMV/ZL3KlNkUiPWDThUehbNbD/kr9uC4BwU2KBvp92nuW+Eq6cRTIc95iYtAKNf+5XCRooYGN/AeicLbbTqpYcmBfZBUqYPtKNjwOygbqSvEmutu382Czibphv630ebjSbsynEwMpoo7PRNN9sobs9mR+X1L5lBAm7k6Iq6Vsk5QCAfdSnnTJ8dhHutLWVbaR+OJ/2+SwspQGiZx/al470JxUrDCY3KU5cFwtxiyY5EBePtnaruieHr5VlSeC59Q/64JBoLdm34Cm9KdiucWDRhSD3EdlFMIaKeaT2AEPJ6IIpKMVZwJBwW86p+Rt5/Ozg0IWbbCkEb7/9Qs/0EKAJl5GuKjqS/Js6RzuV8tT3p5SW8J0D61HE2rqSjmE7yYNt6Nl+DPjvsJNbCxdYfy8SNsQT3PgPZVGx5sF2N7HhnhhbJtZvpBehu8u+JzmHBMo1p5ln0ScuQU99mxYUko/PPWVkVKICYfPwUj5vbpkAmm7nlIK+0+3rlw0m0s5YBymE4NBQcyxJFbwyn3JL/IIoQR3nte02JuZUhb3+yVCIW/8XpzMn9kGLs7S3AIb+jO1IlLPlq2JhdnAtyg2x92GRzEIbEXQo+86DIPSzIsLK3S4bzz/rFWHzFtifFN1Ize3gRIJeq4d2QCGgxAKMIvqV1GVz9Z+UBhHGOawQfXWJ0tbGCNmW0/sfh2vEaqV8vxGJJVXNadFfurNdXT0LjKLR7SxhEIKBByG804SQw5RxTV8kVqpJKYS1tPRKwEbOdqWY8313BWvxHWqFaBIen0dBZ8DfAVw+74WOzxo8GAc5CwogRHmXVcJXEChiW0JCxGQfM7E1n6RJQO8FlsP7gqIfKeJ8J8UZgp/PMk7aPCc/qSZiR3hwZ9jwCFlZf8I6ftIb1DTdorlVxi7zP0BD2R2tqXN6c4ZfT1pvw8YFWXjUVqresJFPaqGZPDvqYLghoXAiro010zYOzJblhOXnvIIsCQtOKnjl5RNpxy9VoijO3XTTNSD/jS/awq306p7VHiYJrBKTenCR51BoRlWAy49y2yH6AxerBJWwnUb8MR/cwhWVyhmMy1k5CB0MY6Qaiee1YdYmTGB98PXM9ZP7EZ2X7PemmqnV0gyR8vEOXSvJB7cSDKpjm6N5sUn9oKExXyx7jDgirjt51mw6n9ZsyDZgueaSp+Kpsl6O2fn4POox9BfzJ+P3weribafogCaDK2xGOGbraivZD0r2e2xQzAA6iVZsdHc2pQxgVWZTUNRrQCi3E5JarGAjAfmgzVW+dSMh71sifTs70O9Uc6bRK35FBICFZZlHeMgt3lhIXjxaXekxLdpuaBxWklpGbL5KqGEfwZtpKOWfpHtay6s7V6ZLznTvWeDFfVzVJqyn4nSIYZWMaOMNkaXJZmH42DxwifxXSwtbz23L8DP7bgFwvWafxZUhK6QdJ9cTQGZiFMo7PUQYdoELaJOkVRHcXJIO1/i0eYKytAuWvAbCr4IlcAoQrtxykTswiFqQ9nsXdR0vkR5Hxa3yCVsbbZK5zNr+cKA32cOyDo6aEyAtyDiF/UgkV8248tWngeyKcQFVE3ON0yjuM5Td/YfFkvSM8rA92qVVpHDk3sB3kDlv5AeuF6ZdAF5pVmVe3/fHm1ClPPjkdlS0rZXl13pIWGsriEZ3JiZA9LfrtJD0rh9K4eqmbxmByQgV0HN6ASaH1hP0HoHz8h4NPPE3F1MafIcGg4Ym0raKMYE9k4ujjJdm7olPmbXPOR+6Tlwzq+zfhlIElRODniStGrf8/i3ctum3w8v3R7LPq+m5BjeiFqonOQS7sVSPfGXweK4mpazRiTOMXBYAv9fzJfY0jaJzKmMi2FroCWXXA8xjjGwjCP5xUkiqi2BSWMAW4X3iq2assQgvBCFDPGAB2HF3CcZ4jUJ5Tj/0xcbkbf+G7L5z4H4UjRHWOsmGX6f6mgig+yEC1d1ZCMwekh1o90hkrvDLQQSvK1DNJTLT0aVflIhfVj8564Y356ZCskLdWeNYKyeMIoyBgSjGNZlzu4i7XRjdjJegFsUaBaVyBQ2jpPxW4kzUlHfIMSe3oisD4J/rvUy2/JyePrL5KSpkAbfzJLHy+iVG27mlwM1bakdS970h/PpF7afbgM9Rg4vFHxgtWZ4XuzGt6wQABhxwKQnxOXUh3JaYHwjwHDmlKfDEgcy51YrdoGqs4kO4j5H08Rbrwy6V/uNOAYKL7LF5GN6nXc9QNpmlDaeeHwyjB8MbXfxAKNTkmTGCAXUZazdUVz1ZHXX0H/40pj0qf5Hxlo1N+ep8Gpk0leETc593HydcnJetr/wNii146IwfAvnkvjwn19axImzicZLWJxVj7RT6NkZQyfEfZ4okxuE7U5zPWiE8jeq3btl+gIcS2SYe8hkYurAhZ/Zaf2vMVG65fJ0X4+x9bwvEowR/WM9trgoCEc+t2M44zWig92B1iA0AhyyD5HkxAvzjE0/K87LVKY1KOcolwpU3uK48IJ1WD0iI9jZoUhWTbGUnLnd5Ti6Mrps8mO0weWYR1zQ1pNRTHWF1aAHy0eODwo6mUSY+CEbUi3gO3ttAoIDQwNy69F7bYSiKAOx6K4X2AlNwymFAzyppPERvmSmhYOIGBERAdccMmtDdkR+ZJFy18i4vuEAoyYXjI6zIYIe58xIJSMMj5qIf3EUhCjrjYvirUb3jQ5vWOzQktryzJUmqkdV5RV+M6uClE3SuQiHEgHcBrAeB9h09b5LKoXa3U+uqndqQTicZgzekqDwbXIWTYYzMiqIvjO4/5x2xsEAh7oMU21L/xPPkkiR5s1+6E66Q2kTYYUhTUnRAAaitjRa/TaCzUyRXJYtglvwMevkBDQLAdK7EJwHo+fFIihogxT9WstH8uEnBkuAW3a6tqT4uLOeY+urQ8EYyX1erL7x/rcgKjsl/FqoZx/ZPWMdBASzAU/0XzvD6PZBUlXyDGdastwVsPz+HpABcrQJ6jp7vDuVbF4ocNK0gMik3oH3y25kKXBrnV1DkJKvqlqOdxa4HJgcj9IbWsHQt0OuAr+nnZpIIGrHcSrlQjzZFp4i1S1D7Jqijq1ThIi63+mzods1lx5vjsKCcIFrernBqtIaT6rkE6K5jxudd7cjiKydh/HRKpEIzXSyAXHqQIjKTqWwAYaumiFZj1TtOeS9xGoYAao2PHi8+FUSQ/3Sjx5guSdHow4YBZUFdqE46mq59vi/ag58Ij8TyzQzTSsuBOALDykyHrv3geHSXgJd8X8XxbHSopotJp0Kru0q96ukHjWHmWgQgny4zRuEAw8u1Dd/y3lRoVoaGB+kSogYTdMnaVwmFAaXMjZrqGj0hRimKnq4a775BBXyoACMDSj1RMoMgZU2MvTAefJVQD7YLuos2a1jTETWekefhH+pllxUYv3/DI4M4okgDYemTqTNW6TWs4ByivRPgP9hqdDl2+PI/3N8//1xw7QWWccjU+qmFxnYak8JR0bofx7X3BtXx2XLI5FETqP8z/o+Vnk1Lzz432mz92E9B8TDFSAOg3eJCANWhOzyaooXqa81mJdnYsjKaWzr8ia6ontxTfkoHyVUwqJTpSa1DVcIA0pvaDBtEfrcsB94fUtgq8xL6KA/WaGZt1rzpNfzD/OLcanjktBdP8CrPWIiJaeytyh2pQrkKfWhDfeFNQNhmnxywMU+zhkfzMaJNapTAULhZW7jX0u4e3cfGzAeIVsEPk3bSKL+KNYnEkbJN9Hj4Ge1t+XeeHXq+bjcqA02gF+0z3GPcRBYBuXlOKvGA/D85lvrqGKHBxmTdbbiR5aPoHvuyatGVKQfdBEJmd07E/VOiLT8WdcEuL5ltH3PTxc45kk8BIWMNcEoKJMhg8ZbVa52Kw50IMlmdOx+0xkMGxrwr757/7nAwGxzl8v3UtaMmBp8Eu3OzjwNi1XB+Mj37IzFnRkOUbATz6J5FIP9606YpNP5zblq8SsWb9AlZkuowfEJiDwsLbXYurYeBsSmUCMexk3pQg67qtWE4/0kH/Ney0u7R3O4aBd0CTuDhnV6QZ/nDEfeUwMc4IIq20Rk5fME4uY/C8H25uQHnHAVSbtGLFiHWSqXMnXCVFTmflVj3c8vOCkPAzWYozSZXvbzvBJO3GYM/j6i+pMZ7OuCKmYg41yGsK3na5vHjjo6xeuRJU441ULqbbfpcEPj9j0/JRu3oxFrobLk4Y2QBttuY9WPzz/Rf8zEME5OIZWVD0IzMk/xjtZ0rNx2gtiR94yaGJrqqV/kQm4g89nM7CO2dbBWJDkeLWGgy283EajJvVFyT3G5fqAA/9FZ40A1V+BhxWC55Cq9OtMBuCdnKfR38jv5Z8dAr7bAJYRri6EYgV+sDqn8Nt/wfnNsFTfy5uPujM+HTMEHjEm8lG0dPpgYbXM+oQzOcWu6VVl6oSg+tsynyj0TVHJUT9S6Hu9fvPEQKBiBU+Fok6zlskqSkov+Av3shx59MZmVAG1lRkS08skJAi+kQIqUFps1aStehlN3aqdRgte7erFQNeNGi+ivR4GncHvLRW2eOTZBTYktkaznFUkRLIui4toXL0reju0Eg+igeXJrVlhjywwAYwEM6O4zvQYKzAYJdQLW9Lzjf86xoERieuQuJR5DR+c8HVxI38KKtmzqzh7DnUJamoJkwudd/Kg4fwkd2OMK3ZM6A+GT9CFtbWzR+Y/TeW1dDsdb+gFMoRhAZaVmhhHXVs5ZkDw3LFEAHm2Kapz5nZeWrFohoK2tph3vnCVYr8A9xNP/8ES//qDSl7tWfUKXtTRS2XJdZ3sWjOl69UrVmcd+hfCBgRK3441KvCzMGcUYp4FBcdTaCqN+ckWW/BpuL3w3k/xsgyViCFdXoN3uOkkuUWfufvFOeX1YV9Ahs7Togj40m15193D7dD3vgufC1CPYwNPPQ6+LF1NQ4Kgnq+cU81JvpfQx43AtIESGY1fpEfEJFpfWrBc02hbIllgfVAIxYucNkBOnrJv/j13jJTjLib/h1RE5mN/X8rIPMHQl0np9ieUjN2RcWYotkqCcX+hEA8x/YlrYdsaff8XefFgLQn88793JpF95YAoL4Q2mGDdGg+PFqNRO/rtfktVH78uvT42SqvHRqBqqz9Z+aWr8hcj0O4pxlU3vq3wH6Ixxs+JtL+lESuTvI1IfMtZeoGGDBOyjoX8gvr7nYqkRcvoY7AFMAdJMjAtanITliSASgz8tdaIZFqqt+Nonkp3WK/5NSKp3lNZ+YwM9l1l3KperOfenzo8KW9lV64U1sfQU45vH9AsFbRY5S+YHPWLV7UOaHzoTdShQmxrLshkKb9tdS5kqKN0A4kNN73U40SnkOpGTnConcDjvxgV/RmyYoCZJA7Z6EW6rXI0KdTmqXmeymhzLzEcfKmNFatHiUXUXYORWbaI09tJ11MqliOpRzfFzL3b2iQtdQ7x626oDZV0DI2uQRqLdq6XApewrxO8k0expvqaTnBf+w3fCIKmIYw0cjZ7zmIL5W+tfCpEJ1Lt742vPQ7bLOo98C/w06PcNcs0DAMl/dNYhN22CWlu7qN8o0wc/55pfboCCcdIi83uyRK66X2Ls7+QHmC8F1KJk3/nl7P38iIs2vofexBFOOs9rDwe3g1HsbsXBvH2Sz1kL7e6+wUv3DoJoX+mrfOQSq/LfHfzGOFgrLi9mULA4KrZgAwZKdoWdvLt8yCDyphy1tOQCXGypqbhFwFqIxvVcPUA4mRd8Jho/6K2l00y7cSce21pawf9BjJg1lj/cMIWd6f+epkhIysNXfxunITgdd8tSRSmVupNyvI52shGCWP6/daKv5PQyL7+cqgjVpwKuHSeWApbzMKV1NKCNalmgm/G/nEW6d4dZG9mGZBYjbxAAAAAWJW/nfD9c7j4Qz/fnuCB8aTQFypcY9lzgAT4YikhyEvL0vhMsQY3Ivggizy8+CwkZIVQ0r0FRnhr6OxUQ6B8iA=="	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02pqbxjqyidjvszg\DeviceId = "<Data LastUpdatedTime=\"1638352908\"><User username=\"02PQBXJQYIDJVSZG\"><HardwareInfo BoundTime=\"1638352909\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordCharacterGroups = "2"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02lrqqzjiojuqmiq\AppIdList	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02pqbxjqyidjvszg\DeviceId = "<Data LastUpdatedTime=\"1638352908\"><User username=\"02PQBXJQYIDJVSZG\"><HardwareInfo BoundTime=\"1638352908\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02pqbxjqyidjvszg\DeviceId = "<Data LastUpdatedTime=\"1638352908\"><User username=\"02PQBXJQYIDJVSZG\"><HardwareInfo BoundTime=\"1638352909\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02pqbxjqyidjvszg\DeviceId = "<Data LastUpdatedTime=\"1638352908\"><User username=\"02PQBXJQYIDJVSZG\"/></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-257790753-2419383948-818201544-1000\02qqqcvzxuoqieqh	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-257790753-2419383948-818201544-1000\02qqqcvzxuoqieqh\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "00184005A9B70ACC"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "00184005A9B70ACC"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02pqbxjqyidjvszg	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-257790753-2419383948-818201544-1000\ValidDeviceId = "02qqqcvzxuoqieqh"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordCharacterGroups = "2"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02pqbxjqyidjvszg\DeviceId = "<Data LastUpdatedTime=\"1638352908\"><User username=\"02PQBXJQYIDJVSZG\"><HardwareInfo BoundTime=\"1638352909\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"2\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-257790753-2419383948-818201544-1000\02qqqcvzxuoqieqh\DeviceId = "<Data><User username=\"02QQQCVZXUOQIEQH\"><HardwareInfo BoundTime=\"1638353749\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\" LicenseInstallError=\"0\"/></User></Data>\r\n"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordLength = "8"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\ValidDeviceId	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02pqbxjqyidjvszg\Provision Saturday, September 04, 2021 08:01:43 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAxPWI57fHyE6TmuDQDjWJfAAAAAACAAAAAAAQZgAAAAEAACAAAADhqdGZbh55H95VdfAgRT3e9w0ruEtEAdb9l4Dn84QBkAAAAAAOgAAAAAIAACAAAABYdkYk5srGHIBWxbiaCj9EgZzIf1Dr857B/gCFUMAaWCAAAAD/+aoLDFUYTCuGOxSJWXgi4NAnSu6+lmkPCwi+YobuwkAAAADRA7W4rMw225ULh/NC6Qe9kcex5CNa8HBs9T/4QtMf1R2BFbcrVHN3j8j6he2xIiOHTmyOXuDfen4D+RZqhKa9"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordLength = "8"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	svchost.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8\Blob = 03000000010000001400000027ac9369faf25207bb2627cefaccbe4ef9c319b814000000010000001400000040c2bd278ecc348330a233d7fb6cb3f0b42c80ce04000000010000001000000096c25031bc0dc35cfba723731e1b41400f0000000100000020000000f9ff37f02e632cb7387025c07e57908a3d371b7c95d8cdd0390de231ed943a12190000000100000010000000ce63bdc595635c1c37b040b4e554bf565c00000001000000040000000008000018000000010000001000000021d008b47b7a2a81c8435903ded424c94b0000000100000044000000320032003300440045003900360045004500320036003500300034003600390035003700410036003600300045004400370043003900440044003900450037005f0000002000000001000000d4040000308204d0308203b8a003020102020107300d06092a864886f70d01010b0500308183310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e3131302f06035504031328476f20446164647920526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3131303530333037303030305a170d3331303530333037303030305a3081b4310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e312d302b060355040b1324687474703a2f2f63657274732e676f64616464792e636f6d2f7265706f7369746f72792f313330310603550403132a476f2044616464792053656375726520436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100b9e0cb10d4af76bdd49362eb3064b881086cc304d962178e2fff3e65cf8fce62e63c521cda16454b55ab786b63836290ce0f696c99c81a148b4ccc4533ea88dc9ea3af2bfe80619d7957c4cf2ef43f303c5d47fc9a16bcc3379641518e114b54f828bed08cbef030381ef3b026f86647636dde7126478f384753d1461db4e3dc00ea45acbdbc71d9aa6f00dbdbcd303a794f5f4c47f81def5bc2c49d603bb1b24391d8a4334eeab3d6274fad258aa5c6f4d5d0a6ae7405645788b54455d42d2a3a3ef8b8bde9320a029464c4163a50f14aaee77933af0c20077fe8df0439c269026c6352fa77c11bc87487c8b993185054354b694ebc3bd3492e1fdcc1d252fb0203010001a382011a30820116300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e0416041440c2bd278ecc348330a233d7fb6cb3f0b42c80ce301f0603551d230418301680143a9a8507106728b6eff6bd05416e20c194da0fde303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e676f64616464792e636f6d2f30350603551d1f042e302c302aa028a0268624687474703a2f2f63726c2e676f64616464792e636f6d2f6764726f6f742d67322e63726c30460603551d20043f303d303b0604551d20003033303106082b06010505070201162568747470733a2f2f63657274732e676f64616464792e636f6d2f7265706f7369746f72792f300d06092a864886f70d01010b05000382010100087e6c9310c838b896a9904bffa15f4f04ef6c3e9c8806c9508fa673f757311bbebce42fdbf8bad35be0b4e7e679620e0ca2d76a637331b5f5a848a43b082da25d90d7b47c254f115630c4b6449d7b2c9de55ee6ef0c61aabfe42a1bee849eb8837dc143ce44a713700d911ff4c813ad8360d9d872a873241eb5ac220eca17896258441bab892501000fcdc41b62db51b4d30f512a9bf4bc73fc76ce36a4cdd9d82ceaae9bf52ab290d14d75188a3f8a4190237d5b4bfea403589b46b2c3606083f87d5041cec2a190c3bbef022fd21554ee4415d90aaea78a33edb12d763626dc04eb9ff7611f15dc876fee469628ada1267d0a09a72e04a38dbcf8bc043001	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f6362000000010000002000000096bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c60b000000010000001a0000004900530052004700200052006f006f0074002000580031000000090000000100000016000000301406082b0601050507030206082b0601050507030114000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e1d000000010000001000000073b6876195f5d18e048510422aef04e3030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e820000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e81d000000010000001000000073b6876195f5d18e048510422aef04e314000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e090000000100000016000000301406082b0601050507030206082b060105050703010b000000010000001a0000004900530052004700200052006f006f007400200058003100000062000000010000002000000096bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f6320000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 1900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f6362000000010000002000000096bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c60b000000010000001a0000004900530052004700200052006f006f0074002000580031000000090000000100000016000000301406082b0601050507030206082b0601050507030114000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e1d000000010000001000000073b6876195f5d18e048510422aef04e3030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000000400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e81d000000010000001000000073b6876195f5d18e048510422aef04e314000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e090000000100000016000000301406082b0601050507030206082b060105050703010b000000010000001a0000004900530052004700200052006f006f007400200058003100000062000000010000002000000096bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

pid	process
856	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
856	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
856	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
856	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

wmic.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3764	wmic.exe
Token: SeSecurityPrivilege	3764	wmic.exe
Token: SeTakeOwnershipPrivilege	3764	wmic.exe
Token: SeLoadDriverPrivilege	3764	wmic.exe
Token: SeSystemProfilePrivilege	3764	wmic.exe
Token: SeSystemtimePrivilege	3764	wmic.exe
Token: SeProfSingleProcessPrivilege	3764	wmic.exe
Token: SeIncBasePriorityPrivilege	3764	wmic.exe
Token: SeCreatePagefilePrivilege	3764	wmic.exe
Token: SeBackupPrivilege	3764	wmic.exe
Token: SeRestorePrivilege	3764	wmic.exe
Token: SeShutdownPrivilege	3764	wmic.exe
Token: SeDebugPrivilege	3764	wmic.exe
Token: SeSystemEnvironmentPrivilege	3764	wmic.exe
Token: SeRemoteShutdownPrivilege	3764	wmic.exe
Token: SeUndockPrivilege	3764	wmic.exe
Token: SeManageVolumePrivilege	3764	wmic.exe
Token: 33	3764	wmic.exe
Token: 34	3764	wmic.exe
Token: 35	3764	wmic.exe
Token: 36	3764	wmic.exe
Token: SeIncreaseQuotaPrivilege	3764	wmic.exe
Token: SeSecurityPrivilege	3764	wmic.exe
Token: SeTakeOwnershipPrivilege	3764	wmic.exe
Token: SeLoadDriverPrivilege	3764	wmic.exe
Token: SeSystemProfilePrivilege	3764	wmic.exe
Token: SeSystemtimePrivilege	3764	wmic.exe
Token: SeProfSingleProcessPrivilege	3764	wmic.exe
Token: SeIncBasePriorityPrivilege	3764	wmic.exe
Token: SeCreatePagefilePrivilege	3764	wmic.exe
Token: SeBackupPrivilege	3764	wmic.exe
Token: SeRestorePrivilege	3764	wmic.exe
Token: SeShutdownPrivilege	3764	wmic.exe
Token: SeDebugPrivilege	3764	wmic.exe
Token: SeSystemEnvironmentPrivilege	3764	wmic.exe
Token: SeRemoteShutdownPrivilege	3764	wmic.exe
Token: SeUndockPrivilege	3764	wmic.exe
Token: SeManageVolumePrivilege	3764	wmic.exe
Token: 33	3764	wmic.exe
Token: 34	3764	wmic.exe
Token: 35	3764	wmic.exe
Token: 36	3764	wmic.exe
Token: SeBackupPrivilege	992	vssvc.exe
Token: SeRestorePrivilege	992	vssvc.exe
Token: SeAuditPrivilege	992	vssvc.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

description	pid	process	target process
PID 856 wrote to memory of 3764	856	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe	wmic.exe
PID 856 wrote to memory of 3764	856	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe	wmic.exe
PID 856 wrote to memory of 3764	856	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
"C:\Users\Admin\AppData\Local\Temp\872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe"
1⤵
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:856