dearcry | 027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27

Analysis

max time kernel
153s
max time network
120s
platform
windows10_x64
resource
win10v20210410
submitted
26-07-2021 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
Size

1.3MB
MD5

a7e571312e05d547936aab18f0b30fbf
SHA1

e0d643e759b2adf736b451aff9afa92811ab8a99
SHA256

027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27
SHA512

20e8af2770aa1be935f7d1b74d6db6f9aeb5aebab016ac6c2e58e60b1b5c9029726fda7b75ed003bf4a1a5a480024231c6a90f5a3d812bf2438dc2c540a49f88

Score

10^/10

dearcry persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\PROGRAMDATA\DESKTOP\readme.txt

Family

dearcry

Ransom Note

Your file has been encrypted! If you want to decrypt, please contact us. [email protected] or [email protected] And please send me the following hash! d37fc1eabc6783a418d23a8d2ba5db5a

Emails

[email protected]

Signatures

DearCry
DearCry is a ransomware first seen after the 2021 Microsoft Exchange hacks.
ransomware dearcry
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\LimitEdit.tiff	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Users\Admin\Pictures\LimitEdit.tiff.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Users\Admin\Pictures\ResizeConfirm.tif.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Users\Admin\Pictures\SelectRevoke.tif.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Users\Admin\Pictures\StepRename.tif.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Users\Admin\Pictures\UnblockClear.tif.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 56 IoCs

Processes:

027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exeexplorer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\$RECYCLE.BIN\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini	explorer.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Public\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe

Drops file in Program Files directory 64 IoCs

Processes:

027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCombinedFloatieModel.bin.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.ini.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_globalstyle.css.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\Xusage.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OUTLFLTR.DAT.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Microsoft Office\root\rsod\powerpoint.x-none.msi.16.x-none.boot.tree.dat.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\ij.bat.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_preferencestyle.css.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\personaspybridge.js.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PowerPointInterProviderRanker.bin.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Microsoft Office\root\rsod\dcfmui.msi.16.en-us.tree.dat.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\mobile.css.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\7-Zip\Lang\ms.txt.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WordNaiveBayesCommandRanker.txt.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\office.x-none.msi.16.x-none.tree.dat	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Java\jre1.8.0_66\THIRDPARTYLICENSEREADME.txt.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Mozilla Firefox\application.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceTigrinya.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUIFormulaBarModel.bin	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Microsoft Office\root\rsod\proof.es-es.msi.16.es-es.tree.dat.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\Welcome.html.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\README.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_basestyle.css.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OUTLFLTR.DAT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\VideoLAN\VLC\uninstall.log.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Resources\TopicPage\PartnerJS\retailDemo.js	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\vlm.html.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\proofing.msi.16.en-us.tree.dat	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\js\startup.js	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PowerPointCombinedFloatieModel.bin	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\powerpivot.x-none.msi.16.x-none.tree.dat	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\office.x-none.msi.16.x-none.boot.tree.dat	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Windows Defender\ThirdPartyNotices.txt.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Microsoft Office\root\rsod\word.x-none.msi.16.x-none.tree.dat.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\controllers.js	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\fr-FR.mail.config	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

216 3064 WerFault.exe

pid	pid_target	process	target process
216	3064	WerFault.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchUI.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Modifies registry class 34 IoCs

Processes:

explorer.exeSearchUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132625117264543786"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "0"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\NumberOfSubdomains = "2"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "0"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e50707004100720067006a006200650078000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000001ead433c1b82d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e50707004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000e0c0ad3b1b82d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e50704004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc7600000000000000000000000033a4c4b1d72dd70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
216	WerFault.exe
216	WerFault.exe
216	WerFault.exe
216	WerFault.exe
216	WerFault.exe
216	WerFault.exe
216	WerFault.exe
216	WerFault.exe
216	WerFault.exe
216	WerFault.exe
216	WerFault.exe
216	WerFault.exe
216	WerFault.exe
216	WerFault.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

Processes:

WerFault.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	216	WerFault.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe

Suspicious use of FindShellTrayWindow 51 IoCs

Processes:

explorer.exe

pid	process
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe

Suspicious use of SendNotifyMessage 28 IoCs

Processes:

explorer.exe

pid	process
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

ShellExperienceHost.exeSearchUI.exe

pid process

2900 ShellExperienceHost.exe
2212 SearchUI.exe
2900 ShellExperienceHost.exe

pid	process
2900	ShellExperienceHost.exe
2212	SearchUI.exe
2900	ShellExperienceHost.exe

C:\Users\Admin\AppData\Local\Temp\027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
"C:\Users\Admin\AppData\Local\Temp\027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:3928

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3064 -s 2868
1⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\explorer.exe
explorer.exe
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3532

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2900

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db

MD5
4534f12102d235344cf8dda748f0cabf

SHA1
7db67baceeecb3a420bf37a7beca4a45185f8f3c

SHA256
1bd4db450abc8914c2fac721cace2704ff4c16028e6d07293154dad289835694

SHA512
7b4dacdbc6a2fccdd3818eb41b7fa23eeec51f333af0e842d9185c7ae45eba1623369b1caa27b824cba10c4cd6a2cdbf7f127ab2c6f7656eedce5fe25a0b84a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.3.db

MD5
4534f12102d235344cf8dda748f0cabf

SHA1
7db67baceeecb3a420bf37a7beca4a45185f8f3c

SHA256
1bd4db450abc8914c2fac721cace2704ff4c16028e6d07293154dad289835694

SHA512
7b4dacdbc6a2fccdd3818eb41b7fa23eeec51f333af0e842d9185c7ae45eba1623369b1caa27b824cba10c4cd6a2cdbf7f127ab2c6f7656eedce5fe25a0b84a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001c.db

MD5
001ed257544479fa1d1d84aacbd780a7

SHA1
4e95b0b5a1933198ce75f73a422c3b91aac7b27c

SHA256
b472e5d0984e03cde3b9fceda14a15fabbdc0bf9a30e90cddadf0d34bb8a54d8

SHA512
6b7cbc42f3e2578668453cfef198ccdbf23e6cb90872999345e7865e386c1c24c40e60713f159c27e1f0f21c63b53b1b4b4de12c469efa4733b50f0c839c0b66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001c.db.CRYPT

MD5
73b97aa8b42ddebfaf34efa1908699c7

SHA1
f62dd857b9a89efe54ab952775024107ba5fac91

SHA256
691edcf0454cb441e3cf158a4bd56690c7b3ef20760d61dc937e2c06dc1044ec

SHA512
86b016c50d4e106e25a93cd12e1d8f68a6349d4f111b4c423983a31a80deaf13165eff5595ccddc346d47e167ba5616d73b9a0e8835507e1d699bb8d329dba62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db

MD5
c7c6abfa9cb508f7fc178d4045313a94

SHA1
4f130f23896bd6d0e95f2a42b2cb83d17ac8f1a2

SHA256
1bda9f0aed80857d43c9329457f28b1ca29f736a0c539901e1ba16a909eb07b4

SHA512
9f1c1e438b8cceda02663a61a64c1c5fc6fb6238aa92d30e6d8d1a7b0cb29a8a6f26b63b9964ad876617f71ee7dc3c05205158c4ed4be327149652b1c6900825

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

MD5
d62de45260290993ab8f379c928263eb

SHA1
1a885ddfea2427607247084565bf7b547005b7cc

SHA256
5443a81a010bc1ff7da14947d3737287a2045bac55e5a7057ce5d17171989c58

SHA512
66228c968e4691940ec8e3265de44ca328e7787dcd04fd4a6a0142a63164f70aaada515221e2a9654d7790e90ed1b73cf63024f65c72b3313b05c82c3ee67ec3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\counters2.dat

MD5
af35b0d348e5162036e183339d385b0c

SHA1
2927490ade868795ecdd8febe05214cbd243ef35

SHA256
b6ac3cc10386331c765f04f041c147d0f278f2aed8eaa021e2d0057fc6f6ff9e

SHA512
6486a74d95f54812a76071f6c6344ab6d34df3da685ec70dc78d9c5804b4ee3c449d9e68a6b52491f8275b838c2cd9102c3c223a620bbee2671edbff2611594e

Download Submit
memory/3532-119-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download