dearcry | 027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27

Analysis

max time kernel
153s
max time network
120s
platform
windows10_x64
resource
win10v20210410
submitted
26-07-2021 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
Size

1.3MB
MD5

a7e571312e05d547936aab18f0b30fbf
SHA1

e0d643e759b2adf736b451aff9afa92811ab8a99
SHA256

027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27
SHA512

20e8af2770aa1be935f7d1b74d6db6f9aeb5aebab016ac6c2e58e60b1b5c9029726fda7b75ed003bf4a1a5a480024231c6a90f5a3d812bf2438dc2c540a49f88

Score

10^/10

dearcry persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\PROGRAMDATA\DESKTOP\readme.txt

Family

dearcry

Ransom Note

Your file has been encrypted! If you want to decrypt, please contact us. [email protected] or [email protected] And please send me the following hash! d37fc1eabc6783a418d23a8d2ba5db5a

Emails

[email protected]

Signatures

DearCry
DearCry is a ransomware first seen after the 2021 Microsoft Exchange hacks.
ransomware dearcry
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\LimitEdit.tiff	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Users\Admin\Pictures\LimitEdit.tiff.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Users\Admin\Pictures\ResizeConfirm.tif.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Users\Admin\Pictures\SelectRevoke.tif.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Users\Admin\Pictures\StepRename.tif.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Users\Admin\Pictures\UnblockClear.tif.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 56 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\$RECYCLE.BIN\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini	explorer.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Users\Public\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCombinedFloatieModel.bin.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.ini.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_globalstyle.css.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\Xusage.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OUTLFLTR.DAT.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Microsoft Office\root\rsod\powerpoint.x-none.msi.16.x-none.boot.tree.dat.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\ij.bat.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_preferencestyle.css.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\personaspybridge.js.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PowerPointInterProviderRanker.bin.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Microsoft Office\root\rsod\dcfmui.msi.16.en-us.tree.dat.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\mobile.css.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\7-Zip\Lang\ms.txt.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WordNaiveBayesCommandRanker.txt.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\office.x-none.msi.16.x-none.tree.dat	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Java\jre1.8.0_66\THIRDPARTYLICENSEREADME.txt.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Mozilla Firefox\application.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceTigrinya.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUIFormulaBarModel.bin	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Microsoft Office\root\rsod\proof.es-es.msi.16.es-es.tree.dat.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\Welcome.html.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\README.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_basestyle.css.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OUTLFLTR.DAT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\VideoLAN\VLC\uninstall.log.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Resources\TopicPage\PartnerJS\retailDemo.js	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\vlm.html.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\proofing.msi.16.en-us.tree.dat	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\js\startup.js	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PowerPointCombinedFloatieModel.bin	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\powerpivot.x-none.msi.16.x-none.tree.dat	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\office.x-none.msi.16.x-none.boot.tree.dat	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Windows Defender\ThirdPartyNotices.txt.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File created	C:\Program Files\Microsoft Office\root\rsod\word.x-none.msi.16.x-none.tree.dat.CRYPT	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\controllers.js	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\fr-FR.mail.config	027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
216	3064	WerFault.exe	38

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Modifies registry class 34 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132625117264543786"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "0"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\NumberOfSubdomains = "2"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "0"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e50707004100720067006a006200650078000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000001ead433c1b82d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e50707004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000e0c0ad3b1b82d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e50704004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc7600000000000000000000000033a4c4b1d72dd70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
216	WerFault.exe
216	WerFault.exe
216	WerFault.exe
216	WerFault.exe
216	WerFault.exe
216	WerFault.exe
216	WerFault.exe
216	WerFault.exe
216	WerFault.exe
216	WerFault.exe
216	WerFault.exe
216	WerFault.exe
216	WerFault.exe
216	WerFault.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeDebugPrivilege	216	WerFault.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe
Token: SeShutdownPrivilege	3532	explorer.exe
Token: SeCreatePagefilePrivilege	3532	explorer.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe
3532	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2900	ShellExperienceHost.exe
2212	SearchUI.exe
2900	ShellExperienceHost.exe

C:\Users\Admin\AppData\Local\Temp\027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe
"C:\Users\Admin\AppData\Local\Temp\027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27.sample.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:3928

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3064 -s 2868
1⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\explorer.exe
explorer.exe
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3532

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2900

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2212