dearcry | fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65

Analysis

max time kernel
151s
max time network
121s
platform
windows10_x64
resource
win10v20210408
submitted
26-07-2021 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
Size

1.3MB
MD5

6be28a4523984698e7154671f73361bf
SHA1

b974375ef0f6dcb6ce30558df2ed8570bf1ad642
SHA256

fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65
SHA512

c3a44431e8cbb76d75ea2a1caca6fe77dfbd2a9565da918620433d415d396c08394ecb1c6454fc69661d61683711e53b60a69435e25518a04e81c20136f62f20

Score

10^/10

dearcry persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\PROGRAMDATA\DESKTOP\readme.txt

Family

dearcry

Ransom Note

Your file has been encrypted! If you want to decrypt, please contact us. [email protected] or [email protected] And please send me the following hash! d37fc1eabc6783a418d23a8d2ba5db5a

Emails

[email protected]

Signatures

DearCry
DearCry is a ransomware first seen after the 2021 Microsoft Exchange hacks.
ransomware dearcry
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\OutLimit.tif.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 56 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\$RECYCLE.BIN\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini	explorer.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	explorer.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Public\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\en-GB.mail.config	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkClientCP.bat.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\Welcome.html	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\Xusage.txt	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\excel.x-none.msi.16.x-none.boot.tree.dat	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\README.html	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PowerPointCombinedFloatieModel.bin	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\server\Xusage.txt.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\excel.x-none.msi.16.x-none.tree.dat	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\osmuxmui.msi.16.en-us.vreg.dat	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\README.md	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\pages\winrthost.htm	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME.txt	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\cacerts.pem	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\Microsoft Office\root\vreg\office.x-none.msi.16.x-none.vreg.dat.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\startNetworkServer.bat.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPack2019Eula.txt	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\jvm.hprof.txt	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\osm.x-none.msi.16.x-none.boot.tree.dat	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\ffjcext.zip	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Stars.htm	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\index.html	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\word.x-none.msi.16.x-none.boot.tree.dat	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.DESKTOPAPPINSTALLER_1.0.10252.0_X64__8WEKYB3D8BBWE\ASSETS\CONTRAST-WHITE\readme.txt	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\osm.x-none.msi.16.x-none.vreg.dat	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\Microsoft Office\root\vreg\powerpoint.x-none.msi.16.x-none.vreg.dat.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Styling\css\ContentLight.css	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\powerpivot.x-none.msi.16.x-none.boot.tree.dat	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\desktop.ini.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieTextModel.bin.CRYPT	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\ApplicationInsights.config	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Bears.htm	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME.txt	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME-JAVAFX.txt	fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
204	3020	WerFault.exe	21

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\NumberOfSubdomains = "2"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "0"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132623575947209929"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010006000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002c100000000000002000000e50707005600610067007200650061007200670020006e00700070007200660066000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000005388142f2c82d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e50707004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c0000000000000000000000005ac6f02e2c82d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000e50707004c0062006800200075006e006900720020007300760079007200660020006a006e007600670076006100740020006700620020006f00720020006f006800650061007200710020006700620020007100760066007000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000f975202f2c82d70100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e50704004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc76000000000000000000000000f4fe5fd9702cd70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "0"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129"	SearchUI.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
204	WerFault.exe
204	WerFault.exe
204	WerFault.exe
204	WerFault.exe
204	WerFault.exe
204	WerFault.exe
204	WerFault.exe
204	WerFault.exe
204	WerFault.exe
204	WerFault.exe
204	WerFault.exe
204	WerFault.exe
204	WerFault.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	204	WerFault.exe
Token: SeShutdownPrivilege	1444	explorer.exe
Token: SeCreatePagefilePrivilege	1444	explorer.exe
Token: SeShutdownPrivilege	1444	explorer.exe
Token: SeCreatePagefilePrivilege	1444	explorer.exe
Token: SeShutdownPrivilege	1444	explorer.exe
Token: SeCreatePagefilePrivilege	1444	explorer.exe
Token: SeShutdownPrivilege	1444	explorer.exe
Token: SeCreatePagefilePrivilege	1444	explorer.exe
Token: SeShutdownPrivilege	1444	explorer.exe
Token: SeCreatePagefilePrivilege	1444	explorer.exe
Token: SeShutdownPrivilege	1444	explorer.exe
Token: SeCreatePagefilePrivilege	1444	explorer.exe
Token: SeShutdownPrivilege	1444	explorer.exe
Token: SeCreatePagefilePrivilege	1444	explorer.exe
Token: SeShutdownPrivilege	1444	explorer.exe
Token: SeCreatePagefilePrivilege	1444	explorer.exe
Token: SeShutdownPrivilege	1444	explorer.exe
Token: SeCreatePagefilePrivilege	1444	explorer.exe
Token: SeShutdownPrivilege	1444	explorer.exe
Token: SeCreatePagefilePrivilege	1444	explorer.exe
Token: SeShutdownPrivilege	1444	explorer.exe
Token: SeCreatePagefilePrivilege	1444	explorer.exe
Token: SeShutdownPrivilege	1444	explorer.exe
Token: SeCreatePagefilePrivilege	1444	explorer.exe
Token: SeShutdownPrivilege	1444	explorer.exe
Token: SeCreatePagefilePrivilege	1444	explorer.exe
Token: SeShutdownPrivilege	1444	explorer.exe
Token: SeCreatePagefilePrivilege	1444	explorer.exe
Token: SeShutdownPrivilege	1444	explorer.exe
Token: SeCreatePagefilePrivilege	1444	explorer.exe
Token: SeShutdownPrivilege	1444	explorer.exe
Token: SeCreatePagefilePrivilege	1444	explorer.exe
Token: SeShutdownPrivilege	1444	explorer.exe
Token: SeCreatePagefilePrivilege	1444	explorer.exe
Token: SeShutdownPrivilege	1444	explorer.exe
Token: SeCreatePagefilePrivilege	1444	explorer.exe
Token: SeShutdownPrivilege	1444	explorer.exe
Token: SeCreatePagefilePrivilege	1444	explorer.exe
Token: SeShutdownPrivilege	1444	explorer.exe
Token: SeCreatePagefilePrivilege	1444	explorer.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe
1444	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3032	SearchUI.exe
3988	ShellExperienceHost.exe
3988	ShellExperienceHost.exe

C:\Users\Admin\AppData\Local\Temp\fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe
"C:\Users\Admin\AppData\Local\Temp\fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65.sample.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:660

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3020 -s 2376
1⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:204

C:\Windows\explorer.exe
explorer.exe
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1444

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3988

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3032