GandCrab 4.0 Technical Analysis and Cracking

Hey!

It’s been a while I haven’t played around with new malware samples so I ended up picking a GandCrab v4.0 and planned to analyze it!

Setup :-
Virtualbox / VMware
Kali Linux / *Nix (Just for some high level analysis)
Ida Pro
Volatility
Process Hacker
vmss2core

Let’s start up with making a snapshot before infecting the machine just so that it’s easier to revert back when you analyze something else and not need to install everything from scratch.

Before breaking into the malware let’s start the process hacker so that it’s easier to analyze stuff and we can try to support our findings from analyzing the dump.

Now that process hacker is up and running let’s run the GandCrabv4.exe and see what exactly it breaks.

After running GandCrab v4 it gives generates the sweet ransom note and the process can be seen in process hacker below, let’s open the KRAB-DECRYPT

As expected it drops a private key and PC dump key.

Now you can either analyze the process with the help of process hacker or start with taking a memory dump which I prefer.

Let’s suspend the machine and use vmss2core to create a memory dump.

Suspending the VM will create two files vmem and vmss file that are used by vmss2core to create a .dmp file which further treated with volatility is used to perform memory forensics.

Let’s use vmss2core to make a dump file. If this goes successful this is how it looks like also please note always follow “vmss” then “vmem”

Now we need to figure how the type of profile or operating system this image is using to do that I am going to use volatility

We can see the suggest profile says it’s Win7SP1x64 so we are now going to dump the final .raw file to do our analysis.

Once this is done we will get the GC.raw and we can start our analysis!

As always let’s start with pslist

Now we can start reversing the GandCrabv4.exe or just analyze memory a bit, I will analyze the memory a bit first before I start loading everything in decompiler.

Also from the process analysis we can see explorer.exe started GandCrabv4.exe possibly process injection. Also the explorer.exe is invoked by PPID 1400 but I can’t find that process

Now to find PID 1400 I am going to use psscan that should reflect the terminated process.

Well that didn’t work clearly I think it’s the time to check malfind to check the injected DLLs and ultimately see the shellcode that might be injected.

Malfind works on the vadinfo and vadmap which is out of scope for this blog post to discuss the internal workings.

The dump clearly show that explorer.exe injectioned.

C:\Users\Coding_Karma\Desktop\GandCrab-v4.0>volatility -f GC.raw --profile=Win7SP1x64 malfind
Volatility Foundation Volatility Framework 2.6
Process: explorer.exe Pid: 1472 Address: 0x2660000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x02660000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x02660010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x02660020 00 00 66 02 00 00 00 00 00 00 00 00 00 00 00 00 ..f.............
0x02660030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x02660000 0000             ADD [EAX], AL
0x02660002 0000 ADD [EAX], AL
0x02660004 0000 ADD [EAX], AL
0x02660006 0000 ADD [EAX], AL
0x02660008 0000 ADD [EAX], AL
0x0266000a 0000 ADD [EAX], AL
0x0266000c 0000 ADD [EAX], AL
0x0266000e 0000 ADD [EAX], AL
0x02660010 0000 ADD [EAX], AL
0x02660012 0000 ADD [EAX], AL
0x02660014 0000 ADD [EAX], AL
0x02660016 0000 ADD [EAX], AL
0x02660018 0000 ADD [EAX], AL
0x0266001a 0000 ADD [EAX], AL
0x0266001c 0000 ADD [EAX], AL
0x0266001e 0000 ADD [EAX], AL
0x02660020 0000 ADD [EAX], AL
0x02660022 660200 ADD AL, [EAX]
0x02660025 0000 ADD [EAX], AL
0x02660027 0000 ADD [EAX], AL
0x02660029 0000 ADD [EAX], AL
0x0266002b 0000 ADD [EAX], AL
0x0266002d 0000 ADD [EAX], AL
0x0266002f 0000 ADD [EAX], AL
0x02660031 0000 ADD [EAX], AL
0x02660033 0000 ADD [EAX], AL
0x02660035 0000 ADD [EAX], AL
0x02660037 0000 ADD [EAX], AL
0x02660039 0000 ADD [EAX], AL
0x0266003b 0000 ADD [EAX], AL
0x0266003d 0000 ADD [EAX], AL
0x0266003f 00 DB 0x0
Process: explorer.exe Pid: 1472 Address: 0x39a0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 16, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x039a0000  41 ba 80 00 00 00 48 b8 38 a1 44 fd fe 07 00 00   A.....H.8.D.....
0x039a0010 48 ff 20 90 41 ba 81 00 00 00 48 b8 38 a1 44 fd H...A.....H.8.D.
0x039a0020 fe 07 00 00 48 ff 20 90 41 ba 82 00 00 00 48 b8 ....H...A.....H.
0x039a0030 38 a1 44 fd fe 07 00 00 48 ff 20 90 41 ba 83 00 8.D.....H...A...
0x039a0000 41               INC ECX
0x039a0001 ba80000000 MOV EDX, 0x80
0x039a0006 48 DEC EAX
0x039a0007 b838a144fd MOV EAX, 0xfd44a138
0x039a000c fe07 INC BYTE [EDI]
0x039a000e 0000 ADD [EAX], AL
0x039a0010 48 DEC EAX
0x039a0011 ff20 JMP DWORD [EAX]
0x039a0013 90 NOP
0x039a0014 41 INC ECX
0x039a0015 ba81000000 MOV EDX, 0x81
0x039a001a 48 DEC EAX
0x039a001b b838a144fd MOV EAX, 0xfd44a138
0x039a0020 fe07 INC BYTE [EDI]
0x039a0022 0000 ADD [EAX], AL
0x039a0024 48 DEC EAX
0x039a0025 ff20 JMP DWORD [EAX]
0x039a0027 90 NOP
0x039a0028 41 INC ECX
0x039a0029 ba82000000 MOV EDX, 0x82
0x039a002e 48 DEC EAX
0x039a002f b838a144fd MOV EAX, 0xfd44a138
0x039a0034 fe07 INC BYTE [EDI]
0x039a0036 0000 ADD [EAX], AL
0x039a0038 48 DEC EAX
0x039a0039 ff20 JMP DWORD [EAX]
0x039a003b 90 NOP
0x039a003c 41 INC ECX
0x039a003d ba DB 0xba
0x039a003e 83 DB 0x83
0x039a003f 00 DB 0x0

So now we can either try dumping the binary for explorer.exeor dump GandCrab.exe .

But before that let’s try playing a bit more around dlllist and handles to check the files dropped or registry keys.

Let’s look at dlllist !

Nothing interesting, so if we didn’t explicitly didn’t know this is the fishy process it would be tough to analyze this malware.

Let’s look at the handles it gives out so many files this is how the result looks like :

C:\Users\Coding_Karma\Desktop\GandCrab-v4.0>volatility -f GC.raw --profile=Win7SP1x64 handles -p 2932
Volatility Foundation Volatility Framework 2.6
Offset(V) Pid Handle Access Type Details
------------------ ------ ------------------ ------------------ ---------------- -------
0xfffff8a00716c3d0 2932 0x4 0x9 Key MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS
0xfffff8a0042c2840 2932 0x8 0x3 Directory KnownDlls
0xfffff8a006ea4370 2932 0xc 0x3 Directory KnownDlls32
0xfffffa80039db400 2932 0x10 0x100020 File \Device\HarddiskVolume1\Windows
0xfffff8a002d56810 2932 0x14 0x9 Key MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS
0xfffff8a006ea4370 2932 0x18 0x3 Directory KnownDlls32
0xfffffa8002356af0 2932 0x1c 0x100020 File \Device\HarddiskVolume1\Users\Coding_Karma\Desktop
0xfffff8a002e94590 2932 0x20 0x20019 Key MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\SORTING\VERSIONS
0xfffff8a003f64bb0 2932 0x24 0x1 Key MACHINE\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER
0xfffffa80031a0750 2932 0x28 0x1f0001 ALPC Port
0xfffffa800348a690 2932 0x2c 0x100003 Semaphore
0xfffffa80024f7a50 2932 0x30 0x100003 Semaphore
0xfffffa8003648670 2932 0x34 0x1f0001 Mutant
0xfffff8a002953840 2932 0x38 0x20019 Key MACHINE
0xfffffa8002478650 2932 0x3c 0x1f0003 Event
0xfffffa8003c40bf0 2932 0x40 0x804 EtwRegistration
0xfffffa80034870e0 2932 0x44 0x21f0003 Event
0xfffffa80031cd4a0 2932 0x48 0xf037f WindowStation WinSta0
0xfffffa80031de090 2932 0x4c 0xf01ff Desktop Default
0xfffffa80031cd4a0 2932 0x50 0xf037f WindowStation WinSta0
0xfffffa8002495db0 2932 0x54 0x804 EtwRegistration
0xfffffa800320a4b0 2932 0x58 0x804 EtwRegistration
0xfffffa8002385330 2932 0x5c 0x804 EtwRegistration
0xfffffa8002477610 2932 0x60 0x804 EtwRegistration
0xfffffa80024765f0 2932 0x64 0x804 EtwRegistration
0xfffffa80022e8590 2932 0x68 0x804 EtwRegistration
0xfffffa800243fcf0 2932 0x6c 0x804 EtwRegistration
0xfffffa8001c82e80 2932 0x70 0x1f0003 Event
0xfffff8a003eff2f0 2932 0x74 0x20019 Key MACHINE\SYSTEM\CONTROLSET001\CONTROL\NETWORKPROVIDER\HWORDER
0xfffffa8002498c90 2932 0x78 0x100003 Semaphore
0xfffffa8002367270 2932 0x7c 0x100003 Semaphore
0xfffffa80024d7e60 2932 0x80 0x804 EtwRegistration
0xfffffa800243f1a0 2932 0x84 0x1f0003 Event
0xfffffa800323b660 2932 0x88 0x1f0003 Event
0xfffffa8002429710 2932 0x8c 0x1f0003 Event
0xfffffa800243b250 2932 0x90 0x1f0003 Event
0xfffffa8001c7ede0 2932 0x94 0x1f0003 Event
0xfffffa8003bf0b20 2932 0x98 0x1f0003 Event
0xfffff8a001611b70 2932 0x9c 0xf Directory BaseNamedObjects
0xfffff8a0071df740 2932 0xa0 0x1 Key MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE
0xfffff8a00872e8b0 2932 0xa4 0xf003f Key USER\S-1-5-21-2428178914-2458993905-4034080872-1000
0xfffff8a001cd4690 2932 0xa8 0x6 Section windows_shell_global_counters
0xfffffa800248a660 2932 0xac 0x130196 File \Device\HarddiskVolume1\ProgramData\8B5BA9B94369250C5F2C.lock
0xfffffa8001c896f0 2932 0xb0 0x804 EtwRegistration
0xfffffa8002439da0 2932 0xb4 0x1f0003 Event
0xfffffa8002495b00 2932 0xb8 0x1f0003 Event
0xfffffa80039d8690 2932 0xbc 0x1f0003 Event
0xfffffa800249f540 2932 0xc0 0x804 EtwRegistration
0xfffffa80024821c0 2932 0xc4 0x804 EtwRegistration
0xfffffa8002f18060 2932 0xc8 0x1f0003 Event
0xfffffa80023473e0 2932 0xcc 0x1fffff Thread TID 2588 PID 2932
0xfffffa8002e16460 2932 0xd0 0x1f0001 ALPC Port
0xfffffa8002379b60 2932 0xd4 0x1fffff Thread TID 804 PID 2932
0xfffffa80025096d0 2932 0xd8 0x804 EtwRegistration
0xfffffa80023c17d0 2932 0xdc 0x804 EtwRegistration
0xfffffa800243d860 2932 0xe0 0x100001 File \Device\KsecDD
0xfffffa8002326820 2932 0xe4 0x804 EtwRegistration
0xfffffa80023886a0 2932 0xe8 0x100020 File \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2
0xfffffa80039299d0 2932 0xec 0x21f0003 Event
0xfffffa8002476eb0 2932 0xf0 0x804 EtwRegistration
0xfffffa8002475070 2932 0xf4 0x804 EtwRegistration
0xfffff8a008731a90 2932 0xf8 0x20019 Key MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
0xfffff8a0086af480 2932 0xfc 0x2001f Key USER\S-1-5-21-2428178914-2458993905-4034080872-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
0xfffff8a0087bead0 2932 0x100 0x20019 Key USER\S-1-5-21-2428178914-2458993905-4034080872-1000\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
0xfffff8a008765720 2932 0x104 0x20019 Key USER\S-1-5-21-2428178914-2458993905-4034080872-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
0xfffff8a00823fad0 2932 0x108 0x20019 Key MACHINE\SOFTWARE\POLICIES
0xfffff8a0071f58c0 2932 0x10c 0x20019 Key USER\S-1-5-21-2428178914-2458993905-4034080872-1000\SOFTWARE\POLICIES
0xfffff8a00284d690 2932 0x110 0x20019 Key USER\S-1-5-21-2428178914-2458993905-4034080872-1000\SOFTWARE
0xfffff8a0087f60b0 2932 0x114 0x20019 Key MACHINE\SOFTWARE\WOW6432NODE
0xfffff8a0070c8d80 2932 0x118 0x20019 Key MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
0xfffffa8003824060 2932 0x11c 0x1f0003 Event
0xfffffa8002379b60 2932 0x120 0x1fffff Thread TID 804 PID 2932
0xfffffa800223ce70 2932 0x124 0x100000 Mutant _!MSFTHISTORY!_
0xfffffa80022d8450 2932 0x128 0x100000 Mutant c:!users!coding_karma!appdata!local!microsoft!windows!temporary internet files!content.ie5!
0xfffffa800235d360 2932 0x12c 0x12019f File \Device\HarddiskVolume1\Users\Coding_Karma\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
0xfffff8a0032def00 2932 0x130 0x2 Section C:_Users_Coding_Karma_AppData_Local_Microsoft_Windows_Temporary Internet Files_Content.IE5_index.dat_32768
0xfffff8a0087c8af0 2932 0x134 0x1 Key USER\S-1-5-21-2428178914-2458993905-4034080872-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER
0xfffffa80022324a0 2932 0x138 0x100000 Mutant c:!users!coding_karma!appdata!roaming!microsoft!windows!cookies!
0xfffffa80023182c0 2932 0x13c 0x12019f File \Device\HarddiskVolume1\Users\Coding_Karma\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
0xfffff8a0032fc680 2932 0x140 0x2 Section C:_Users_Coding_Karma_AppData_Roaming_Microsoft_Windows_Cookies_index.dat_32768
0xfffffa80024ccd20 2932 0x144 0x100000 Mutant c:!users!coding_karma!appdata!local!microsoft!windows!history!history.ie5!
0xfffffa80022eaf20 2932 0x148 0x12019f File \Device\HarddiskVolume1\Users\Coding_Karma\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
0xfffff8a003e77df0 2932 0x14c 0x2 Section C:_Users_Coding_Karma_AppData_Local_Microsoft_Windows_History_History.IE5_index.dat_49152
0xfffffa8002f64b00 2932 0x150 0x1f0003 IoCompletion
0xfffffa80024a2c30 2932 0x154 0xf00ff TpWorkerFactory
0xfffffa80038e8b60 2932 0x158 0x1fffff Thread TID 1196 PID 2932
0xfffff8a0087bda00 2932 0x15c 0xf0003 KeyedEvent
0xfffffa80024668c0 2932 0x160 0x100002 Timer
0xfffffa8002470ef0 2932 0x164 0x1f0003 Timer
0xfffffa8003758660 2932 0x168 0x1fffff Thread TID 2980 PID 2932
0xfffffa8003758660 2932 0x16c 0x1fffff Thread TID 2980 PID 2932
0xfffffa800243e9a0 2932 0x170 0x1f0003 IoCompletion
0xfffffa800249d8b0 2932 0x174 0xf00ff TpWorkerFactory
0xfffffa80024ff6f0 2932 0x178 0x100002 Timer
0xfffffa8002450210 2932 0x17c 0x1f0001 Mutant WininetStartupMutex
0xfffffa8002379b60 2932 0x180 0x1fffff Thread TID 804 PID 2932
0xfffffa8001e2d6d0 2932 0x184 0x804 EtwRegistration
0xfffffa8002efcdd0 2932 0x188 0x1f0003 Event
0xfffffa8002339ae0 2932 0x18c 0x100003 Semaphore
0xfffffa800381a5b0 2932 0x190 0x100003 Semaphore
0xfffffa80039ebf20 2932 0x194 0x100003 Semaphore
0xfffffa800399d680 2932 0x198 0x100003 Semaphore
0xfffffa80026f5730 2932 0x19c 0x100003 Semaphore
0xfffffa8002477fe0 2932 0x1a0 0x100003 Semaphore
0xfffffa800348b740 2932 0x1a4 0x100003 Semaphore
0xfffffa8003246060 2932 0x1a8 0x100003 Semaphore
0xfffffa8002eb3a30 2932 0x1ac 0x1f0003 Event
0xfffff8a00710e3b0 2932 0x1b0 0x20019 Key MACHINE\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9
0xfffffa8002eff630 2932 0x1b4 0x1f0003 Event
0xfffff8a002a68580 2932 0x1b8 0x20019 Key MACHINE\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\NAMESPACE_CATALOG5
0xfffffa800251fca0 2932 0x1bc 0x804 EtwRegistration
0xfffffa800250d270 2932 0x1c0 0x804 EtwRegistration
0xfffffa8002efba80 2932 0x1c4 0x1f0003 Event
0xfffffa800244d4c0 2932 0x1c8 0x1f0001 Mutant WininetConnectionMutex
0xfffffa800392bc00 2932 0x1cc 0x1f0001 Mutant WininetProxyRegistryMutex
0xfffffa8002e18480 2932 0x1d0 0x1f0003 Event
0xfffffa800242f110 2932 0x1d4 0x1f0001 Mutant RasPbFile
0xfffffa800370b9e0 2932 0x1d8 0x1f0003 Event
0xfffffa800245d600 2932 0x1dc 0x1f0003 Event
0xfffffa8002ebd460 2932 0x1e0 0x1f0003 Event
0xfffffa80022ca570 2932 0x1e4 0x1f0003 Event
0xfffffa800320e470 2932 0x1e8 0x1f0003 Event
0xfffffa80023852a0 2932 0x1ec 0x1f0003 Event
0xfffff8a00246d790 2932 0x1f0 0x2001b Key MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\GANDCRABV4_RASAPI32
0xfffffa800244f4a0 2932 0x1f4 0x1f0003 Event
0xfffff8a007102fa0 2932 0x1f8 0x20019 Key USER
0xfffffa80031a4070 2932 0x1fc 0x804 EtwRegistration
0xfffffa8002367e60 2932 0x200 0x1f0001 ALPC Port
0xfffffa8003241850 2932 0x204 0x1f0001 ALPC Port
0xfffffa80021ae4f0 2932 0x208 0x1f0003 Event
0xfffff8a0029f0db0 2932 0x20c 0x2001b Key MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\GANDCRABV4_RASMANCS
0xfffffa8002ee6e20 2932 0x210 0x1f0003 Event
0xfffffa80036df340 2932 0x214 0x1f0003 Event
0xfffffa80023853e0 2932 0x218 0x1fffff Thread TID 2580 PID 2932
0xfffffa80033419a0 2932 0x21c 0x16019f File \Device\Afd\Endpoint
0xfffffa80021c6070 2932 0x220 0x1f0001 ALPC Port
0xfffff8a006f731d0 2932 0x224 0x3 Key USER\S-1-5-21-2428178914-2458993905-4034080872-1000
0xfffff8a008363600 2932 0x228 0xf003f Key USER\S-1-5-21-2428178914-2458993905-4034080872-1000_CLASSES
0xfffffa8003630340 2932 0x22c 0x1f0003 Event
0xfffffa80024771e0 2932 0x230 0x804 EtwRegistration
0xfffffa8002295ad0 2932 0x234 0x1f0003 Event
0xfffffa800250e380 2932 0x238 0x1f0003 Event
0xfffffa800244e270 2932 0x23c 0x1f0003 Event
0xfffffa800223d6e0 2932 0x240 0x1f0001 ALPC Port
0xfffffa8003902fe0 2932 0x244 0x1f0003 Event
0xfffffa80023853e0 2932 0x248 0x1fffff Thread TID 2580 PID 2932
0xfffffa80023853e0 2932 0x24c 0x10 Thread TID 2580 PID 2932
0xfffffa80032ada60 2932 0x250 0x1f0003 Event
0xfffffa8002390950 2932 0x254 0x1fffff Thread TID 1240 PID 2932
0xfffffa8003c4bb60 2932 0x258 0x1fffff Thread TID 1948 PID 2932
0xfffffa8003bebcc0 2932 0x25c 0x100080 File \Device\Nsi
0xfffffa80032644f0 2932 0x260 0x1f0001 ALPC Port
0xfffff8a003e6ed40 2932 0x264 0x20019 Key USER\S-1-5-21-2428178914-2458993905-4034080872-1000\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\NETWORK\LOCATION AWARENESS
0xfffffa80032d7520 2932 0x268 0x1f0003 Event
0xfffffa8002370930 2932 0x26c 0x1f0001 ALPC Port
0xfffffa8003890060 2932 0x270 0x1f0003 Event
0xfffffa8002326b60 2932 0x274 0x1f0003 Event
0xfffffa8002390950 2932 0x278 0x1fffff Thread TID 1240 PID 2932
0xfffffa80026233c0 2932 0x27c 0x804 EtwRegistration
0xfffffa800248feb0 2932 0x280 0x804 EtwRegistration
0xfffffa80024b6590 2932 0x284 0x804 EtwRegistration
0xfffffa80024c8540 2932 0x288 0x1f0003 Event
0xfffffa8002390950 2932 0x28c 0x1fffff Thread TID 1240 PID 2932
0xfffffa8002730f60 2932 0x290 0x1f0003 Event
0xfffffa8002515d20 2932 0x294 0x1f0003 Event
0xfffffa800388dcb0 2932 0x298 0x1f0003 Event
0xfffffa8002348c40 2932 0x29c 0x1f0003 Event
0xfffffa8001c93af0 2932 0x2a0 0x804 EtwRegistration
0xfffffa8001c93e60 2932 0x2a4 0x804 EtwRegistration
0xfffffa800319f490 2932 0x2a8 0x804 EtwRegistration
0xfffffa8002368fb0 2932 0x2ac 0x804 EtwRegistration
0xfffffa80022578d0 2932 0x2b0 0x804 EtwRegistration
0xfffffa800242dfb0 2932 0x2b4 0x804 EtwRegistration
0xfffffa800239c180 2932 0x2b8 0x804 EtwRegistration
0xfffffa8002651ad0 2932 0x2bc 0x804 EtwRegistration
0xfffffa8003a273f0 2932 0x2c0 0x804 EtwRegistration
0xfffffa80039ed070 2932 0x2c4 0x804 EtwRegistration
0xfffffa80039b8ab0 2932 0x2c8 0x804 EtwRegistration
0xfffffa80024577c0 2932 0x2cc 0x804 EtwRegistration
0xfffffa8002457180 2932 0x2d0 0x804 EtwRegistration
0xfffffa8002464e50 2932 0x2d4 0x804 EtwRegistration
0xfffffa800249c180 2932 0x2d8 0x804 EtwRegistration
0xfffffa80033a8130 2932 0x2dc 0x1f0003 Event
0xfffffa80023082b0 2932 0x2e0 0x1f0003 Event
0xfffffa8003945b90 2932 0x2e4 0x1f0003 Event
0xfffffa800250fab0 2932 0x2e8 0x804 EtwRegistration
0xfffffa800384a150 2932 0x2ec 0x1f0003 Semaphore
0xfffffa8003869350 2932 0x2f0 0x1f0001 Mutant ZonesCounterMutex
0xfffffa8002463530 2932 0x2f4 0x1f0003 Event
0xfffff8a0086709d0 2932 0x2f8 0x20019 Key USER\S-1-5-21-2428178914-2458993905-4034080872-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
0xfffff8a003f0ac60 2932 0x2fc 0x20019 Key MACHINE\SOFTWARE\POLICIES
0xfffff8a0071776d0 2932 0x300 0x20019 Key USER\S-1-5-21-2428178914-2458993905-4034080872-1000\SOFTWARE\POLICIES
0xfffff8a0070e7d90 2932 0x304 0x20019 Key USER\S-1-5-21-2428178914-2458993905-4034080872-1000\SOFTWARE
0xfffff8a002b1fd60 2932 0x308 0x20019 Key MACHINE\SOFTWARE\WOW6432NODE
0xfffff8a008384dc0 2932 0x30c 0x20019 Key USER\S-1-5-21-2428178914-2458993905-4034080872-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
0xfffff8a00233cb40 2932 0x310 0xf0007 Section UrlZonesSM_Coding_Karma
0xfffffa80038376a0 2932 0x314 0x1f0001 Mutant ZoneAttributeCacheCounterMutex
0xfffffa8002380060 2932 0x318 0x1f0001 Mutant
0xfffffa800388cb60 2932 0x31c 0x1f0001 Mutant ZonesCacheCounterMutex
0xfffffa80038376a0 2932 0x320 0x1f0001 Mutant ZoneAttributeCacheCounterMutex
0xfffffa800319e910 2932 0x324 0x1f0003 Event
0xfffffa8003888080 2932 0x328 0x1f0001 Mutant ZonesLockedCacheCounterMutex
0xfffffa8003794ed0 2932 0x32c 0x804 EtwRegistration
0xfffffa8003773da0 2932 0x330 0x100001 Mutant !IETld!Mutex
0xfffffa8002352bb0 2932 0x334 0x120089 File \Device\HarddiskVolume1\Windows\SysWOW64\en-US\urlmon.dll.mui
0xfffffa80023246d0 2932 0x338 0x1f0003 Event
0xfffffa8002490e60 2932 0x33c 0x100001 File \Device\KsecDD
0xfffffa8002386b60 2932 0x340 0x1fffff Thread TID 3060 PID 2932
0xfffffa80022ec060 2932 0x344 0x1fffff Thread TID 2968 PID 2932
0xfffffa80039e5510 2932 0x348 0x100003 Semaphore
0xfffffa80022eb5c0 2932 0x34c 0x804 EtwRegistration
0xfffffa8002476ca0 2932 0x350 0x100003 Semaphore
0xfffffa8002522770 2932 0x354 0x804 EtwRegistration
0xfffffa8002353e60 2932 0x358 0x1f0001 Mutant HGFSMUTEX
0xfffff8a0087f69e0 2932 0x35c 0xf0007 Section HGFSMEMORY
0xfffffa8003393230 2932 0x360 0x1f0003 Event
0xfffffa8003188b20 2932 0x368 0x100000 Event TermSrvReadyEvent
0xfffffa80024f91d0 2932 0x36c 0x804 EtwRegistration
0xfffff8a0071f2680 2932 0x370 0x20019 Key MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FOLDERDESCRIPTIONS\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PROPERTYBAG
0xfffffa8002f03520 2932 0x374 0x804 EtwRegistration
0xfffff8a003f66df0 2932 0x378 0x20019 Key MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FOLDERDESCRIPTIONS\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PROPERTYBAG
0xfffff8a00714cd00 2932 0x37c 0x2001d Key USER\S-1-5-21-2428178914-2458993905-4034080872-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\P3P\HISTORY
0xfffffa800266ba10 2932 0x380 0x100003 Semaphore
0xfffffa80031eefe0 2932 0x384 0x100003 Semaphore
0xfffffa80039db210 2932 0x38c 0x100003 Event
0xfffffa80022a7390 2932 0x390 0x1f0003 Event
0xfffffa8002463930 2932 0x394 0x804 EtwRegistration
0xfffffa8003c29690 2932 0x398 0x804 EtwRegistration
0xfffffa80039d0e60 2932 0x39c 0x804 EtwRegistration
0xfffffa8002ed96c0 2932 0x3a0 0x804 EtwRegistration
0xfffffa8002478fb0 2932 0x3a4 0x804 EtwRegistration
0xfffffa80039528f0 2932 0x3a8 0x804 EtwRegistration
0xfffffa80031bf300 2932 0x3ac 0x100003 Semaphore
0xfffffa80024402d0 2932 0x3b0 0x100003 Semaphore
0xfffffa80024652b0 2932 0x3b4 0x100003 Event
0xfffffa800231e710 2932 0x3b8 0x100003 Semaphore
0xfffffa80036e9060 2932 0x3bc 0x100003 Semaphore
0xfffffa80024598e0 2932 0x3c0 0x1f0001 Mutant
0xfffffa80023b0210 2932 0x3c4 0x804 EtwRegistration
0xfffffa80037c1650 2932 0x3c8 0x1f0001 ALPC Port
0xfffffa8003796a60 2932 0x3cc 0x804 EtwRegistration
0xfffffa80037619a0 2932 0x3d0 0x804 EtwRegistration
0xfffff8a003ed5e80 2932 0x3d4 0x20019 Key USER\S-1-5-21-2428178914-2458993905-4034080872-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS
0xfffff8a0017d5a80 2932 0x3d8 0x4 Section __ComCatalogCache__
0xfffff8a0016304f0 2932 0x3dc 0x4 Section
0xfffffa80021b92c0 2932 0x3e0 0x804 EtwRegistration
0xfffffa80024646c0 2932 0x3e4 0x804 EtwRegistration
0xfffffa8002474ca0 2932 0x3e8 0x100003 Semaphore
0xfffffa80023518b0 2932 0x3ec 0x212019f File \Device\Afd\AsyncConnectHlp
0xfffffa8002730830 2932 0x3f0 0x21f0003 IoCompletion
0xfffffa80023689d0 2932 0x3f4 0x1f0003 Event
0xfffffa800249a8f0 2932 0x3f8 0x100003 Semaphore
0xfffffa8002251ee0 2932 0x3fc 0x100003 Semaphore
0xfffffa8002f74130 2932 0x404 0x804 EtwRegistration
0xfffff8a0033aa780 2932 0x408 0x20019 Key MACHINE\SYSTEM\CONTROLSET001\SERVICES\CRYPT32
0xfffffa8001c96c70 2932 0x40c 0x1f0003 Event
0xfffffa8003539710 2932 0x410 0x1f0003 IoCompletion
0xfffffa8002253060 2932 0x414 0xf00ff TpWorkerFactory
0xfffffa800234caf0 2932 0x418 0x804 EtwRegistration
0xfffff8a003f14d00 2932 0x41c 0x20019 Key USER\S-1-5-21-2428178914-2458993905-4034080872-1000\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY
0xfffffa800234ca30 2932 0x420 0x804 EtwRegistration
0xfffffa8002448070 2932 0x424 0x804 EtwRegistration
0xfffffa8002476fc0 2932 0x428 0x1f0001 Mutant
0xfffffa8002341150 2932 0x42c 0x1f0003 Event
0xfffffa800248a7a0 2932 0x430 0x1f0001 Mutant
0xfffffa80036b7280 2932 0x434 0x1f0003 Event
0xfffffa8001c9d2a0 2932 0x438 0x1f0003 Event
0xfffffa8002eb4a30 2932 0x43c 0x100003 Semaphore
0xfffffa800388c450 2932 0x440 0x100003 Semaphore
0xfffffa8002437fb0 2932 0x444 0x804 EtwRegistration
0xfffffa80024429a0 2932 0x448 0x12019f File \Device\HarddiskVolume1\Users\Coding_Karma\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
0xfffffa8002ea3fe0 2932 0x44c 0x100003 Semaphore
0xfffffa8003868390 2932 0x450 0x100003 Semaphore
0xfffffa800234f710 2932 0x454 0x100003 Semaphore
0xfffffa80024fe060 2932 0x458 0x100003 Semaphore
0xfffffa8002f09ae0 2932 0x45c 0x100003 Semaphore
0xfffffa8002466fe0 2932 0x460 0x100003 Semaphore
0xfffffa8002ea24e0 2932 0x464 0x100003 Semaphore
0xfffffa8002cfd7f0 2932 0x468 0x100003 Semaphore
0xfffffa8002f07260 2932 0x46c 0x100003 Semaphore
0xfffffa8002517cb0 2932 0x470 0x100003 Semaphore
0xfffffa8002cfd8f0 2932 0x474 0x100003 Semaphore
0xfffffa80024f7ad0 2932 0x478 0x100003 Semaphore
0xfffffa80025157e0 2932 0x47c 0x100003 Semaphore
0xfffffa80024fb520 2932 0x480 0x1f0003 Event
0xfffffa800338a150 2932 0x484 0x1f0003 Event
0xfffffa8002354070 2932 0x488 0x100001 File \Device\HarddiskVolume1\Users\Coding_Karma\AppData\Roaming\Microsoft\SystemCertificates\My
0xfffffa8002494ee0 2932 0x48c 0x100003 Semaphore
0xfffffa80024797e0 2932 0x490 0x100003 Semaphore
0xfffffa8002f08fe0 2932 0x494 0x100003 Semaphore
0xfffffa800320a220 2932 0x498 0x100003 Semaphore
0xfffffa8003630150 2932 0x49c 0x1f0003 Event
0xfffffa8002f0d400 2932 0x4a0 0x100003 File \Device\KsecDD
0xfffffa800220e390 2932 0x4a4 0x100003 Semaphore
0xfffffa80022ec610 2932 0x4a8 0x100003 Semaphore
0xfffff8a00832ad90 2932 0x4ac 0x20019 Key MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CERTDLLCREATECERTIFICATECHAINENGINE\CONFIG
0xfffff8a0087e3210 2932 0x4b0 0x20019 Key MACHINE\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA
0xfffff8a003352830 2932 0x4b4 0x20019 Key USER\S-1-5-21-2428178914-2458993905-4034080872-1000\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY
0xfffff8a007171c80 2932 0x4b8 0x20019 Key USER\S-1-5-21-2428178914-2458993905-4034080872-1000\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA
0xfffff8a0086c5840 2932 0x4bc 0x20019 Key MACHINE\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\CA
0xfffff8a0086d1cd0 2932 0x4c0 0x20019 Key USER\S-1-5-21-2428178914-2458993905-4034080872-1000
0xfffff8a00875c060 2932 0x4c4 0x20019 Key MACHINE\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED
0xfffff8a00874dc00 2932 0x4c8 0x20019 Key USER\S-1-5-21-2428178914-2458993905-4034080872-1000\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED
0xfffff8a007101950 2932 0x4cc 0x20019 Key MACHINE\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\DISALLOWED
0xfffff8a003247a20 2932 0x4d0 0x20019 Key USER\S-1-5-21-2428178914-2458993905-4034080872-1000
0xfffff8a00286e060 2932 0x4d4 0x20019 Key MACHINE\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT
0xfffff8a00874d6d0 2932 0x4d8 0x20019 Key MACHINE\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\ROOT
0xfffff8a00876a350 2932 0x4dc 0x20019 Key USER\S-1-5-21-2428178914-2458993905-4034080872-1000\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT
0xfffff8a002e7c9a0 2932 0x4e0 0x20019 Key MACHINE\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT
0xfffff8a003f257f0 2932 0x4e4 0x20019 Key MACHINE\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE
0xfffff8a00874d610 2932 0x4e8 0x20019 Key MACHINE\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT
0xfffff8a007149370 2932 0x4ec 0x20019 Key USER\S-1-5-21-2428178914-2458993905-4034080872-1000\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE
0xfffff8a00868e3b0 2932 0x4f0 0x20019 Key USER\S-1-5-21-2428178914-2458993905-4034080872-1000\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT
0xfffff8a002b13660 2932 0x4f4 0x20019 Key MACHINE\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUSTEDPEOPLE
0xfffff8a008312de0 2932 0x4f8 0x20019 Key USER\S-1-5-21-2428178914-2458993905-4034080872-1000
0xfffff8a002f58f60 2932 0x4fc 0x20019 Key MACHINE\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST
0xfffff8a0086edda0 2932 0x500 0x20019 Key USER\S-1-5-21-2428178914-2458993905-4034080872-1000\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST
0xfffff8a002a67fa0 2932 0x504 0x20019 Key MACHINE\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUST
0xfffff8a008312d20 2932 0x508 0x20019 Key USER\S-1-5-21-2428178914-2458993905-4034080872-1000
0xfffffa8002f7eae0 2932 0x50c 0x1f0003 Event
0xfffffa8001c83060 2932 0x510 0x1f0003 Event
0xfffffa800243b900 2932 0x514 0x1f0003 Event
0xfffffa800239cfe0 2932 0x518 0x1f0003 Event
0xfffffa8001c9ddd0 2932 0x51c 0x1f0003 Event
0xfffffa80023dab70 2932 0x520 0x1f0003 Event
0xfffffa8002eb4060 2932 0x524 0x1f0003 Event
0xfffffa8002336100 2932 0x528 0x1f0003 Event
0xfffffa8003323320 2932 0x52c 0x1f0003 Event
0xfffffa8002430ee0 2932 0x530 0x1f0003 Event
0xfffffa8002430ee0 2932 0x534 0x1f0003 Event
0xfffffa8002493dc0 2932 0x538 0x1f0003 Event
0xfffffa8002493680 2932 0x53c 0x1f0001 ALPC Port
0xfffffa8002369b70 2932 0x540 0x1f0001 ALPC Port
0xfffff8a0032fd470 2932 0x544 0x20019 Key MACHINE\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES
0xfffffa800251af60 2932 0x548 0x1f0003 Event
0xfffffa8003359e80 2932 0x54c 0x1f0003 Event
0xfffffa800236a4e0 2932 0x550 0x1f0003 Event
0xfffffa8002f0b270 2932 0x554 0x1f0003 Event
0xfffffa800245dac0 2932 0x558 0x1f0003 Event
0xfffffa800251efe0 2932 0x55c 0x1f0003 Event
0xfffffa80024e6fe0 2932 0x560 0x1f0003 Event
0xfffffa80032109e0 2932 0x564 0x1f0003 Event
0xfffffa8002472850 2932 0x568 0x1f0003 Event
0xfffffa8002490bb0 2932 0x56c 0x1f0003 Event
0xfffffa8002346400 2932 0x570 0x1f0003 Event
0xfffffa8002346400 2932 0x574 0x1f0003 Event
0xfffffa8002f68160 2932 0x578 0x1f0003 Event
0xfffffa8002442160 2932 0x57c 0x1f0003 Event
0xfffff8a008312c60 2932 0x580 0x20019 Key USER\S-1-5-21-2428178914-2458993905-4034080872-1000\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES
0xfffffa8001c99ee0 2932 0x584 0x1f0003 Event
0xfffffa8003733510 2932 0x588 0x1f0003 Event
0xfffffa8002358870 2932 0x58c 0x1f0003 Event
0xfffffa8002cf31b0 2932 0x590 0x1f0003 Event
0xfffffa80033ffd40 2932 0x594 0x1f0003 Event
0xfffffa8002439540 2932 0x598 0x1f0003 Event
0xfffffa800245a9e0 2932 0x59c 0x1f0003 Event
0xfffffa80024511c0 2932 0x5a0 0x1f0003 Event
0xfffffa80038d3620 2932 0x5a4 0x1f0003 Event
0xfffffa8003858060 2932 0x5a8 0x1f0003 Event
0xfffffa80022cafe0 2932 0x5ac 0x1f0003 Event
0xfffffa8003557060 2932 0x5b0 0x1f0003 Event
0xfffffa800242a890 2932 0x5b4 0x1f0003 Event
0xfffffa8002442630 2932 0x5b8 0x100001 File \Device\HarddiskVolume1\Users\Coding_Karma\AppData\Roaming\Microsoft\SystemCertificates\My
0xfffffa8002497bb0 2932 0x5bc 0x1f0003 Event
0xfffffa800320c900 2932 0x5c0 0x1f0003 Event
0xfffffa8003841ef0 2932 0x5c4 0x1f0003 Event
0xfffffa800347ac90 2932 0x5c8 0x1f0003 Event
0xfffffa80037aa270 2932 0x5cc 0x1f0003 Event
0xfffffa800242aed0 2932 0x5d0 0x1f0003 Event
0xfffffa8002466b40 2932 0x5d4 0x1f0003 Event
0xfffffa80039ed590 2932 0x5d8 0x1f0003 Event
0xfffffa80024041d0 2932 0x5dc 0x1f0003 Event
0xfffffa80021c0500 2932 0x5e0 0x1f0003 Event
0xfffffa80023d7160 2932 0x5e4 0x1f0003 Event
0xfffffa80023d7060 2932 0x5e8 0x1f0003 Event
0xfffffa8001c3c130 2932 0x5ec 0x1f0003 Event
0xfffffa8003902570 2932 0x5f0 0x1f0003 Event
0xfffffa8003542060 2932 0x5f4 0x1f0003 Event
0xfffffa80039f2c90 2932 0x5f8 0x1f0003 Event
0xfffffa8003823060 2932 0x5fc 0x1f0003 Event
0xfffffa8002eb57b0 2932 0x600 0x100020 File \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2
0xfffff8a0087346e0 2932 0x604 0xf003f Key USER\S-1-5-21-2428178914-2458993905-4034080872-1000_CLASSES
0xfffffa8002354570 2932 0x608 0x1f0001 Mutant c:!users!coding_karma!appdata!roaming!microsoft!windows!ietldcache!
0xfffffa800235a6a0 2932 0x60c 0x804 EtwRegistration
0xfffff8a001f73d00 2932 0x610 0x4 Section C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000a.db
0xfffffa8001c1d1c0 2932 0x614 0x804 EtwRegistration
0xfffffa8002319060 2932 0x618 0x1fffff Thread TID 2464 PID 2932
0xfffffa8002336a00 2932 0x61c 0x1f0003 Event
0xfffffa800333c200 2932 0x620 0x21f0003 Event
0xfffffa8002f53430 2932 0x624 0x120089 File \Device\HarddiskVolume1\Windows\SysWOW64\en-US\KernelBase.dll.mui
0xfffffa80036d1c80 2932 0x628 0x1f0003 Event
0xfffff8a0030e6640 2932 0x62c 0xf0005 Section
0xfffff8a0017ad410 2932 0x630 0x6 Section windows_shell_global_counters
0xfffff8a002204710 2932 0x634 0x4 Section C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro
0xfffffa8001c57800 2932 0x638 0x804 EtwRegistration
0xfffff8a00705d8e0 2932 0x63c 0xf0007 Section C:_Users_Coding_Karma_AppData_Roaming_Microsoft_Windows_IETldCache_index.dat_262144
0xfffffa800320e1b0 2932 0x640 0x1f0003 Event
0xfffffa8002f06070 2932 0x644 0x120089 File \Device\HarddiskVolume1\Windows\SysWOW64\en-US\winhttp.dll.mui
0xfffffa80024ce060 2932 0x648 0x1fffff Thread TID 1284 PID 2932
0xfffffa80024aa450 2932 0x64c 0x1f0003 Event
0xfffffa80039e38f0 2932 0x650 0x1f0003 Event
0xfffffa80036cf390 2932 0x654 0x1f0003 Event
0xfffff8a0033be8c0 2932 0x65c 0x20019 Key MACHINE\SOFTWARE\CLASSES\MIME\DATABASE\CONTENT TYPE\TEXT/HTML
0xfffff8a00879fbf0 2932 0x660 0x20019 Key MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FOLDERDESCRIPTIONS\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PROPERTYBAG
0xfffffa80018dd420 2932 0x664 0x100001 Event MaximumCommitCondition
0xfffffa8003773da0 2932 0x668 0x100001 Mutant !IETld!Mutex
0xfffffa800248f070 2932 0x66c 0x1f0001 ALPC Port
0xfffff8a0017d5a80 2932 0x670 0x4 Section __ComCatalogCache__
0xfffff8a002204710 2932 0x674 0x4 Section C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro
0xfffffa8002494ba0 2932 0x678 0x120089 File \Device\HarddiskVolume1\Windows\registration\R000000000006.clb
0xfffff8a001f806a0 2932 0x67c 0x4 Section C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
0xfffffa8002ed3e60 2932 0x680 0x1f0001 ALPC Port
0xfffffa8003799220 2932 0x688 0x804 EtwRegistration
0xfffffa8003344990 2932 0x68c 0x1fffff Thread TID 632 PID 2932
0xfffffa80022c8dc0 2932 0x690 0x1f0003 Event
0xfffff8a0032ce700 2932 0x694 0x20019 Key MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_PROTOCOL_LOCKDOWN
0xfffffa800246f060 2932 0x698 0x100002 Timer
0xfffffa800236c430 2932 0x69c 0x16019f File \Device\Afd\Endpoint
0xfffffa800269cf20 2932 0x6a4 0x16019f File \Device\Afd\Endpoint
0xfffffa8002f60840 2932 0x6a8 0x1f0001 ALPC Port OLE1B898A92526846EA9C520FC2265F
0xfffffa8003240760 2932 0x6ac 0x1f0003 Event
0xfffffa8002440570 2932 0x6b0 0x804 EtwRegistration
0xfffffa80024ce060 2932 0x6b4 0x1fffff Thread TID 1284 PID 2932
0xfffffa80022c82e0 2932 0x6bc 0x1f0001 ALPC Port
0xfffffa80036eea20 2932 0x6c0 0x1f0003 Event
0xfffffa80036f0f20 2932 0x6c4 0x16019f File \Device\Afd\Endpoint
0xfffffa80039a7980 2932 0x6c8 0x1f0003 Event
0xfffffa80038adb60 2932 0x6cc 0x1fffff Thread TID 2676 PID 2932
0xfffffa8003416690 2932 0x6d0 0x16019f File \Device\Afd\Endpoint
0xfffffa800320bc50 2932 0x6d4 0x1f0001 ALPC Port
0xfffffa8002505ef0 2932 0x6d8 0x100002 Timer
0xfffffa80033947c0 2932 0x6e0 0x1f0003 Event
0xfffffa8002330060 2932 0x6e4 0x1fffff Thread TID 792 PID 2932
0xfffffa80024fcd10 2932 0x6e8 0x120089 File \Device\HarddiskVolume1\Windows\SysWOW64\en-US\mlang.dll.mui
0xfffffa8003c21fe0 2932 0x6ec 0x1f0003 Event
0xfffffa8002f748f0 2932 0x6f0 0x1f0003 Event
0xfffffa80038359a0 2932 0x6f8 0x804 EtwRegistration
0xfffffa8001c97240 2932 0x700 0x1f0003 Event
0xfffffa8003c4bb60 2932 0x704 0x1fffff Thread TID 1948 PID 2932
0xfffffa8003506af0 2932 0x708 0x1f0003 Event
0xfffffa8002330060 2932 0x70c 0x1fffff Thread TID 792 PID 2932
0xfffffa80039cf1b0 2932 0x710 0x1f0003 Event
0xfffffa8002ea5d50 2932 0x714 0x1f0003 Event
C:\Users\Coding_Karma\Desktop\GandCrab-v4.0>

The takeaway are mutex it’s using

WininetStartupMutex
WininetConnectionMutex
!IETld!Mutex
HGFSMUTEX
ZonesCacheCounterMutex
ZoneAttributeCacheCounterMutex
ZonesLockedCacheCounterMutex
WininetProxyRegistryMutex
FINALLY googling these indeed tells this is some fishy malware

Now I think it’s a good time to check the registry from the dump above.

MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\GANDCRABV4_RASAPI32
MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\GANDCRABV4_RASMANCS

Let’s resume the image from suspended state and check these.

Registry tampering verified.

Let’s check this file too.

This seems like some message let’s remove the spaces and see if we can make any sense out of it.

This seems to run some sort of clipboard stealing mechanism and accessing it via some website.

So urlmon.dll.mui is another infected file dropped.

As expected this is trying to connect to some C2 server.

Further analysis show us more and continuous communication

Now we have confirmed the following :
Registry Edits
C2 Communications
Encryption
Files Dropped

I think it’s a good time to move into the IDA decompiler.

Before doing that let’s just run the dumped file in VirusTotal

It’s GandCrab Indeed

Let’s get started with IDA now.

First thing that I do while analyzing malware is to check for the imports, if the imports are way less it might mean that they are packed and also it’s really convenient to check isDebuggerPresent and such calls to know how the executable will behave.

Not a complete mess but it does have isDebuggerPresent maybe we can come back to bypassing this some day right now let’s look at the stuff that might be interesting.

Maybe some C2 commands or interesting strings and such?

Self Explanatory.

It collects all this information presumable to create encryption.

Copies the root-path.

This opens a registry and stores the public and private key let’s open this!

As anticipated we got the keys!

This caught my attention

This gets the keyboard layout maybe to send key strokes?

cmd.exe executions I think it cleans up mess

It closes these process.

BOOM!

Encryption Routine :)

AV Evasion list

Request over network

So this was the analysis of whole GandCrab Ransomware 4.0 you can expect all this in upcoming course at Cybary classes.