16a58ca32a6575dfe91423f6844b1183ba35b8be1cf211773f09b230f1bd5102

Resubmissions

30-08-2022 13:11

220830-qeyfnsaha8 8

22-01-2021 10:07

210122-7vwcckmmtj 8

Analysis

max time kernel
149s
max time network
112s
platform
windows10_x64
resource
win10v20201028
submitted
22-01-2021 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
Size

149KB
MD5

fdbd0ccb8d0bea52f95cedb51c3de9e9
SHA1

d6fa30eeb170c70fc3892429df2872372b3cef48
SHA256

45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e
SHA512

3457221f4ef4e0e79f694f89b30c36fe731037f1565aae49d9b0bb151c6e50fb0523c0f7a82ba333726bd2f9822561e3ee794bacc1e8f052ea9a3a7d5bcbe3d0

Score

8^/10

persistence ransomware spyware upx

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\BackupMeasure.tiff => C:\Users\Admin\Pictures\BackupMeasure.tiff.cnh	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File renamed	C:\Users\Admin\Pictures\EnableWait.crw => C:\Users\Admin\Pictures\EnableWait.crw.cnh	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File renamed	C:\Users\Admin\Pictures\RequestTest.raw => C:\Users\Admin\Pictures\RequestTest.raw.cnh	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File renamed	C:\Users\Admin\Pictures\SubmitCopy.crw => C:\Users\Admin\Pictures\SubmitCopy.crw.cnh	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File renamed	C:\Users\Admin\Pictures\SwitchProtect.png => C:\Users\Admin\Pictures\SwitchProtect.png.cnh	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\Pictures\BackupMeasure.tiff	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/812-2-0x00007FF6D8A40000-0x00007FF6D8AAD000-memory.dmp	upx

Drops startup file 3 IoCs

Processes:

45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\README.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 72 IoCs

Processes:

45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exeexplorer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Videos\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Public\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\$RECYCLE.BIN\S-1-5-21-1985363256-3005190890-1182679451-1000\desktop.ini	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe

Drops file in Program Files directory 22364 IoCs

Processes:

45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL119.XML	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-xstate-l2-1-0.dll	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\README.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\README.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ca-es\README.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\goopdateres_ja.dll	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_zh_4.4.0.v20140623020002.jar	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\PaintWideTile.scale-125.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupSmallTile.scale-400.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_checkbox_unselected_18.svg	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\GKExcel.dll	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\librtpvideo_plugin.dll	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libsap_plugin.dll	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\Fonts\README.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-256_contrast-white.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sl-si\ui-strings.js	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File created	C:\Program Files (x86)\Common Files\System\en-US\README.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Multiply_icon.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\ClrCompression.dll	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\MusicVideosDialogBackground.jpg	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_editpdf_18.svg	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\README.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\cldrdata.jar	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\1914_32x32x32.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\ui-strings.js	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\README.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-settings.jar	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\AdjacencyLetter.dotx	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.GIF	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-24.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-96_altform-unplated.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\WideTile.scale-100.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\SmallTile.scale-100.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\WideTile.scale-200.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\lobby_deck_style_fable.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\thinking.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.sun.el_2.2.0.v201303151357.jar	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\README.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\CubeTile_contrast-white.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\challenge\Go-for_the_Gold_.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\cz_60x42.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\version.js	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-It.otf	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\README.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-pl.xrm-ms	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libpanoramix_plugin.dll	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MUAUTH.CAB	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\et_60x42.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\StopwatchMedTile.scale-200.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\selector.js	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\uk-ua\README.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.SF	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\README.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\onenoteim.exe	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\zw_16x11.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\README.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32_altform-unplated_contrast-black.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\README.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-white\iheart-radio.scale-125_contrast-white.png	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe

Drops file in Windows directory 1 IoCs

Processes:

45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe

description ioc process

File created C:\Windows\README.txt 45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4060 3048 WerFault.exe

description	ioc	process
File created	C:\Windows\README.txt	45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe

pid	pid_target	process	target process
4060	3048	WerFault.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchUI.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Modifies Control Panel 5 IoCs

evasion

Processes:

explorer.exeSearchUI.exeShellExperienceHost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Desktop\TranscodedImageCount = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Desktop\LastUpdated = "4294967295"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Colors	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Colors	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Desktop	explorer.exe

Modifies registry class 33 IoCs

Processes:

explorer.exeSearchUI.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132483827320340134"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "0"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\NumberOfSubdomains = "2"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "0"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010006000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e50701004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000bb8d4d55aef0d60100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000e50701004c0062006800200075006e006900720020007300760079007200660020006a006e007600670076006100740020006700620020006f00720020006f006800650061007200710020006700620020007100760066007000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000fa3d5e55aef0d60100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004c100000000000002000000e4070a004100720067006a006200650078000a005600610067007200650061007200670020006e00700070007200660066000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000ffffffff74ae2078e323294282c1e41cb67d5b9c000000000000000000000000065a6adc59add60100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e4070a004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc760000000000000000000000005aa40d5557add60100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e4070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e4070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

WerFault.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	4060	WerFault.exe
Token: SeShutdownPrivilege	188	explorer.exe
Token: SeCreatePagefilePrivilege	188	explorer.exe
Token: SeShutdownPrivilege	188	explorer.exe
Token: SeCreatePagefilePrivilege	188	explorer.exe
Token: SeShutdownPrivilege	188	explorer.exe
Token: SeCreatePagefilePrivilege	188	explorer.exe
Token: SeShutdownPrivilege	188	explorer.exe
Token: SeCreatePagefilePrivilege	188	explorer.exe
Token: SeShutdownPrivilege	188	explorer.exe
Token: SeCreatePagefilePrivilege	188	explorer.exe
Token: SeShutdownPrivilege	188	explorer.exe
Token: SeCreatePagefilePrivilege	188	explorer.exe
Token: SeShutdownPrivilege	188	explorer.exe
Token: SeCreatePagefilePrivilege	188	explorer.exe
Token: SeShutdownPrivilege	188	explorer.exe
Token: SeCreatePagefilePrivilege	188	explorer.exe
Token: SeShutdownPrivilege	188	explorer.exe
Token: SeCreatePagefilePrivilege	188	explorer.exe
Token: SeShutdownPrivilege	188	explorer.exe
Token: SeCreatePagefilePrivilege	188	explorer.exe
Token: SeShutdownPrivilege	188	explorer.exe
Token: SeCreatePagefilePrivilege	188	explorer.exe
Token: SeShutdownPrivilege	188	explorer.exe
Token: SeCreatePagefilePrivilege	188	explorer.exe
Token: SeShutdownPrivilege	188	explorer.exe
Token: SeCreatePagefilePrivilege	188	explorer.exe
Token: SeShutdownPrivilege	188	explorer.exe
Token: SeCreatePagefilePrivilege	188	explorer.exe
Token: SeShutdownPrivilege	188	explorer.exe
Token: SeCreatePagefilePrivilege	188	explorer.exe
Token: SeShutdownPrivilege	188	explorer.exe
Token: SeCreatePagefilePrivilege	188	explorer.exe
Token: SeShutdownPrivilege	188	explorer.exe
Token: SeCreatePagefilePrivilege	188	explorer.exe
Token: SeShutdownPrivilege	188	explorer.exe
Token: SeCreatePagefilePrivilege	188	explorer.exe

Suspicious use of FindShellTrayWindow 47 IoCs

Processes:

explorer.exe

pid	process
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

explorer.exe

pid	process
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe
188	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

SearchUI.exeShellExperienceHost.exe

pid process

2328 SearchUI.exe
2908 ShellExperienceHost.exe
2908 ShellExperienceHost.exe

pid	process
2328	SearchUI.exe
2908	ShellExperienceHost.exe
2908	ShellExperienceHost.exe

C:\Users\Admin\AppData\Local\Temp\45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe
"C:\Users\Admin\AppData\Local\Temp\45659c8b8a21158dbad3a15a174a42f923c6c179d9dcc3168d64f89cd9f1433e.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
PID:812

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3048 -s 5992
1⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\explorer.exe
explorer.exe
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Control Panel
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:188

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Enumerates system info in registry
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2328

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
PID:2908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\desktop.ini
MD5
ce5ceabf941e1385c18777a78f973bd5

SHA1
4d45077e753e9feea95f03c7a13b6cf47672e6b9

SHA256
4bd07a0c12fd2e6f554262807da51bf03ced8c9862452512c9520a496155ef15

SHA512
669543fc5e67eab47ac379cf751a5be811ff418fcbf7d9217a6ed99cdbddfea1b7f3dad1b4ff100a49dc5e279cc6f59e34bb42923ddfd0aa3459f4b863d13f4b

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.cnh
MD5
9001dd272796751d4ddac16be3ff2720

SHA1
2e5a1001b7f759732402d62a7ae29c0a3a70c5da

SHA256
2803124944125a7f958a3b67bea714945aca3ab5483322cd2e2d7df39496a709

SHA512
b39a6503ed20ffcc054bc9197a39019d56f08f9f546cc5c31e31dfbfa6ad2f9a93e47a4a59349947d4e39db890701c1cb87d5864de24f0bf6ad29dace9b88f3d

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.cnh
MD5
97c3772eb741b6f823a9963ca0625583

SHA1
56e3be4291030e2488d6733869dbaf18a5774655

SHA256
795606cc0991c0345abb7db320f539ae2aed644fceaad41d5eed4edac73d89b1

SHA512
f25cf278736f11622a5d9207d0707a54f968d9dd50fe421108b8c01bbbf6416f767e080b8968c18210b41c5ab4f58e15b29d236ddda68705f331d2d5daa25f13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001d.db.cnh
MD5
07a2be451af1be4647fcd7d5d08f7d60

SHA1
5bfab77fba2ef65cef7bea12f723e0d437d751aa

SHA256
caba1560a25b0824c1c9f7a01e602ee8007a4fac6d35f10345835523509e09d4

SHA512
449b98e08cb5ccf590738eb99a6c225985da4cb27cd6dee4a79602e2e4d1e2bc0395169b7fff38f4bedc0261bf538e10ba83e0b705e9d162d83a0b9b02b997fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\counters2.dat
MD5
df54d5feaa636740073fa3fd9c44ea99

SHA1
d91f9cd4b5620575a3e97cd171ef2af03e10dd32

SHA256
572c6a17f53ef4dfc478ff1a1d9f8f39724657adbd661f2fbc7c5fe27dcdcb45

SHA512
80cd481f31f301efa5a90a3a7653187a2e5c5239e724db6aeea2437b0f4b8090f6640bde4817ba0f9c08f87d8ecfe6558646df2a667eef9f0daf7ece2cbddfe9

Download Submit
memory/812-2-0x00007FF6D8A40000-0x00007FF6D8AAD000-memory.dmp

Filesize
436KB

Download
memory/4060-4-0x0000027781400000-0x0000027781401000-memory.dmp

Filesize
4KB

Download
memory/4060-5-0x0000027781400000-0x0000027781401000-memory.dmp

Filesize
4KB

Download
memory/4060-6-0x0000027781400000-0x0000027781401000-memory.dmp

Filesize
4KB

Download