makop | 08810549d87143439b0293f5772766cacaeebf217d692ddfb776f916f8b582fd

Resubmissions

19-10-2021 14:03

211019-rcwpqsfhg4 10

19-10-2021 13:56

211019-q8vxmsfhf4 10

15-10-2021 16:42

211015-t719tabbe4 10

Analysis

max time kernel
138s
max time network
133s
platform
windows10_x64
resource
win10-en-20210920
submitted
19-10-2021 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
Size

42KB
MD5

d29a5ac669fd239a2df8a7ba6bad4b75
SHA1

b18e00d53474c95fa0720b1720557e4d9a09f161
SHA256

4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512
SHA512

c1e104375d445d7431fd68d0cb6731e459aa0be5b8495bcdca147d0052aa18e4a1f0817d54e2b72489cc9668772c36d6243f716cf542d48a3514f4fb3060a7b6

Score

10^/10

makop persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\926737707\readme-warning.txt

Family

makop

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "makop" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: makopransom@outlook.com .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Emails

makopransom@outlook.com

Signatures

Makop
Ransomware family discovered by @VK_Intel in early 2020.
ransomware makop
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 184 created 2812 184 WerFault.exe SearchUI.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

3888 wbadmin.exe
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

description	pid	process	target process
PID 184 created 2812	184	WerFault.exe	SearchUI.exe

pid	process
3888	wbadmin.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\WaitUninstall.tiff	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe

Drops file in Program Files directory 64 IoCs

Processes:

4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\de-de\readme-warning.txt	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\illustrations_retina.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\tool-selector.css	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.forms_3.6.100.v20140422-1825.jar	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\themes_frame.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\9434_24x24x32.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailWideTile.scale-125.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\readme-warning.txt	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionMedTile.scale-100.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\OneConnectSmallTile.scale-125.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-fr\ui-strings.js	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pl-pl\ui-strings.js	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\az_get.svg	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense_eula.txt	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\OneConnectMedTile.scale-125.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sv-se\ui-strings.js	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-Bold.otf	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.lucene.core_3.5.0.v20120725-1805.jar	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookMedTile.scale-200.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\readme-warning.txt	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\spider_icon.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\Effects\effects_lobby_none.jpg	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarMediumTile.scale-400.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-sl\ui-strings.js	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\ui-strings.js	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ko-kr\readme-warning.txt	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\de-de\ui-strings.js	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\da-dk\readme-warning.txt	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_zh_CN.jar	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\ECLIPSE.INF	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\vlc.mo	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\Sounds\CrownAppearance.wav	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-40.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\ui-strings.js	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_ja_4.4.0.v20140623020002.jar	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Livetiles\MicrosoftSolitaireLargeTile.scale-100.jpg	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\devil.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\mg_60x42.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_altform-unplated_contrast-black.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\freecell\Alcatraz_Escape_.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sv-se\readme-warning.txt	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\css\readme-warning.txt	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\word.x-none.msi.16.x-none.boot.tree.dat	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\PREVIEW.GIF	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupSmallTile.scale-200.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionMedTile.scale-100.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-250.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-32.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\selector.js	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeNullOrEmpty.Tests.ps1	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\droplets.jpg	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4632_48x48x32.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\en_get.svg	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nb-no\ui-strings.js	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fi-fi\readme-warning.txt	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\generic.Messaging.config	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Beach\mask\1c.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PeopleAppStoreLogo.scale-100.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\tr_60x42.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe

Drops file in Windows directory 12 IoCs

Processes:

ShellExperienceHost.exeexplorer.exeSearchUI.exeSearchUI.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\4032412167\2690874625.pri	ShellExperienceHost.exe
File created	C:\Windows\rescache\_merged\2717123927\1713683155.pri	ShellExperienceHost.exe
File created	C:\Windows\rescache\_merged\860799236\4237324420.pri	ShellExperienceHost.exe
File created	C:\Windows\rescache\_merged\1301087654\4010849688.pri	ShellExperienceHost.exe
File created	C:\Windows\rescache\_merged\4032412167\2690874625.pri	explorer.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	SearchUI.exe
File created	C:\Windows\rescache\_merged\2717123927\1713683155.pri	explorer.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	SearchUI.exe
File created	C:\Windows\rescache\_merged\4183903823\1195458082.pri	ShellExperienceHost.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	ShellExperienceHost.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	ShellExperienceHost.exe
File created	C:\Windows\rescache\_merged\4272278488\927794230.pri	ShellExperienceHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1320 2872 WerFault.exe
184 2812 WerFault.exe SearchUI.exe

pid	pid_target	process	target process
1320	2872	WerFault.exe
184	2812	WerFault.exe	SearchUI.exe

Checks SCSI registry key(s) 3 TTPs 16 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWerFault.exeSearchUI.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2384 vssadmin.exe

pid	process
2384	vssadmin.exe

Modifies registry class 31 IoCs

Processes:

explorer.exeSearchUI.exe4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132766168982456120"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e5070a004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000239cbc112cc5d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e5070a004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000d950ae112cc5d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e50709004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc76000000000000000000000000218621db20aed70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1876 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exeWerFault.exeWerFault.exe

pid	process
1752	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
1752	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
1320	WerFault.exe
1320	WerFault.exe
1320	WerFault.exe
1320	WerFault.exe
1320	WerFault.exe
1320	WerFault.exe
1320	WerFault.exe
1320	WerFault.exe
1320	WerFault.exe
1320	WerFault.exe
1320	WerFault.exe
1320	WerFault.exe
1320	WerFault.exe
1320	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exewbengine.exeWMIC.exeWerFault.exeexplorer.exe

description	pid	process
Token: SeBackupPrivilege	1264	vssvc.exe
Token: SeRestorePrivilege	1264	vssvc.exe
Token: SeAuditPrivilege	1264	vssvc.exe
Token: SeBackupPrivilege	2304	wbengine.exe
Token: SeRestorePrivilege	2304	wbengine.exe
Token: SeSecurityPrivilege	2304	wbengine.exe
Token: SeIncreaseQuotaPrivilege	632	WMIC.exe
Token: SeSecurityPrivilege	632	WMIC.exe
Token: SeTakeOwnershipPrivilege	632	WMIC.exe
Token: SeLoadDriverPrivilege	632	WMIC.exe
Token: SeSystemProfilePrivilege	632	WMIC.exe
Token: SeSystemtimePrivilege	632	WMIC.exe
Token: SeProfSingleProcessPrivilege	632	WMIC.exe
Token: SeIncBasePriorityPrivilege	632	WMIC.exe
Token: SeCreatePagefilePrivilege	632	WMIC.exe
Token: SeBackupPrivilege	632	WMIC.exe
Token: SeRestorePrivilege	632	WMIC.exe
Token: SeShutdownPrivilege	632	WMIC.exe
Token: SeDebugPrivilege	632	WMIC.exe
Token: SeSystemEnvironmentPrivilege	632	WMIC.exe
Token: SeRemoteShutdownPrivilege	632	WMIC.exe
Token: SeUndockPrivilege	632	WMIC.exe
Token: SeManageVolumePrivilege	632	WMIC.exe
Token: 33	632	WMIC.exe
Token: 34	632	WMIC.exe
Token: 35	632	WMIC.exe
Token: 36	632	WMIC.exe
Token: SeIncreaseQuotaPrivilege	632	WMIC.exe
Token: SeSecurityPrivilege	632	WMIC.exe
Token: SeTakeOwnershipPrivilege	632	WMIC.exe
Token: SeLoadDriverPrivilege	632	WMIC.exe
Token: SeSystemProfilePrivilege	632	WMIC.exe
Token: SeSystemtimePrivilege	632	WMIC.exe
Token: SeProfSingleProcessPrivilege	632	WMIC.exe
Token: SeIncBasePriorityPrivilege	632	WMIC.exe
Token: SeCreatePagefilePrivilege	632	WMIC.exe
Token: SeBackupPrivilege	632	WMIC.exe
Token: SeRestorePrivilege	632	WMIC.exe
Token: SeShutdownPrivilege	632	WMIC.exe
Token: SeDebugPrivilege	632	WMIC.exe
Token: SeSystemEnvironmentPrivilege	632	WMIC.exe
Token: SeRemoteShutdownPrivilege	632	WMIC.exe
Token: SeUndockPrivilege	632	WMIC.exe
Token: SeManageVolumePrivilege	632	WMIC.exe
Token: 33	632	WMIC.exe
Token: 34	632	WMIC.exe
Token: 35	632	WMIC.exe
Token: 36	632	WMIC.exe
Token: SeDebugPrivilege	1320	WerFault.exe
Token: SeShutdownPrivilege	776	explorer.exe
Token: SeCreatePagefilePrivilege	776	explorer.exe
Token: SeShutdownPrivilege	776	explorer.exe
Token: SeCreatePagefilePrivilege	776	explorer.exe
Token: SeShutdownPrivilege	776	explorer.exe
Token: SeCreatePagefilePrivilege	776	explorer.exe
Token: SeShutdownPrivilege	776	explorer.exe
Token: SeCreatePagefilePrivilege	776	explorer.exe
Token: SeShutdownPrivilege	776	explorer.exe
Token: SeCreatePagefilePrivilege	776	explorer.exe
Token: SeShutdownPrivilege	776	explorer.exe
Token: SeCreatePagefilePrivilege	776	explorer.exe
Token: SeShutdownPrivilege	776	explorer.exe
Token: SeCreatePagefilePrivilege	776	explorer.exe
Token: SeShutdownPrivilege	776	explorer.exe

Suspicious use of FindShellTrayWindow 46 IoCs

Processes:

explorer.exe

pid	process
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

explorer.exe

pid	process
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe
776	explorer.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXEShellExperienceHost.exeSearchUI.exeSearchUI.exe

pid	process
1876	EXCEL.EXE
1876	EXCEL.EXE
1876	EXCEL.EXE
1876	EXCEL.EXE
1876	EXCEL.EXE
1876	EXCEL.EXE
1876	EXCEL.EXE
1876	EXCEL.EXE
212	ShellExperienceHost.exe
2812	SearchUI.exe
212	ShellExperienceHost.exe
3816	SearchUI.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.execmd.exe

description	pid	process	target process
PID 1752 wrote to memory of 668	1752	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe	cmd.exe
PID 1752 wrote to memory of 668	1752	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe	cmd.exe
PID 668 wrote to memory of 2384	668	cmd.exe	vssadmin.exe
PID 668 wrote to memory of 2384	668	cmd.exe	vssadmin.exe
PID 668 wrote to memory of 3888	668	cmd.exe	wbadmin.exe
PID 668 wrote to memory of 3888	668	cmd.exe	wbadmin.exe
PID 668 wrote to memory of 632	668	cmd.exe	WMIC.exe
PID 668 wrote to memory of 632	668	cmd.exe	WMIC.exe
PID 1752 wrote to memory of 3344	1752	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe	NOTEPAD.EXE
PID 1752 wrote to memory of 3344	1752	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe	NOTEPAD.EXE
PID 1752 wrote to memory of 3344	1752	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
"C:\Users\Admin\AppData\Local\Temp\4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2384

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:3888

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
2⤵
PID:3344

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\RestoreConvertFrom.ods"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3848

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3232

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2872 -s 2648
1⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\explorer.exe
explorer.exe
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:776

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:212

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2812

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2812 -s 2040
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:184

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\7C0DD390-A82C-4DA9-8D4C-A25D3F1BDD63
MD5
ac86bad8c7cdf97559d3570da5016664

SHA1
dc4e3871f9932c3fd676c5a4a1a76188c2b1126b

SHA256
783319dc7e9bd47ad5e82bf609bb56b3f3ed4d225fa6c6d6562ea30280890490

SHA512
bac74b8bce7d45c29afc4858a93eb6065283e12e164036233f9a083dee04d46f4bd8d6529eace47fb129c011c799015ac6411449faf57211b858b2ad0cb1d2a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
MD5
807f6904dece69c1a2a1115f1a5f5645

SHA1
5a16c41f90f804be23b244fbcef969356b3b56e0

SHA256
86e9db5b7c0417260b40a3c69339f0932afb3bcbcb53a13db728048e91d11e6e

SHA512
4ea35c824e617edfe8d34d2236b3dc7e9ef12ceca9503d763213b5dd52b19a7c0a91587ecafe8a7bc02a8833c6cb1f5dadf48a9fb41301d2b7b7e4a25452bec7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db
MD5
7b3fcacbe6f684e77e37008472c873d6

SHA1
0985b5bd819de936928361992d9f475b4b52d116

SHA256
cb8c95d2823e7dcad01b743c4cb977201e5aa2a068ce6c4803a0b0043b0cae76

SHA512
5386070e1c8fa7615c118c17b2c9de5fcc63303335bc6963b34ee6fab392484545f18860abeb8122432369287d730a8ea0dc6f56cb6b47c7e89af39f19a16ee5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal
MD5
1b68d531e237e92c8533c7315078f496

SHA1
42da423a43618667ecda9407e4593982f654a09a

SHA256
38de45714e94c3584ce75f0eaed6472b4e92ec157a185609a9966c95930151f8

SHA512
6dfc9fbf0f0556778fea23e2e009624dd362256628e22653dbfdad5c5ecbef621ea1da4fe76d1ae0f230e16d2045269aad322f93e1928fb34e095022524acd7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.3.db
MD5
ba5ea2a2900a9634cc74f8b7c8ecd959

SHA1
c209140f406b21e4fe67dd418365fe8944160deb

SHA256
fbac95c49939c92629133f8dc361e360b62047c21b6d049c606b92559367457c

SHA512
c6996f97d1348efd5bbc8a531b21e3f9685a52469cfd46e4e429f60f88ce7ac58dfbf1860838261fc8791885228676e9ad832a207fe8c47d0aa5db93da22f2f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001d.db.[1C98C4F5].[makopransom@outlook.com].makop
MD5
b3e3ec1ac02ef73e8ca09f2549721b95

SHA1
b180f0f5eccaf140431f9eade364b6e9d8a7d33c

SHA256
afed76f6c8de035eac3defb4627448d0b782ab031252a4cc46220bf060ba6ee4

SHA512
a7e4677f0c47215ada05f904da11f997aa228703d37b9db7f0dc7cfca21514acb957d23c0ceafc7ac4b0390299c0adc9c94faa566f56137d5b5e095a8e7f251c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001e.db
MD5
ebcf310b25de8984c4cdf945c7848889

SHA1
98963e066cf28c18aac713871cb95e54a3ec6c71

SHA256
0cd433b0075a4e3285bdd184c3686647ca8dc9dc006f4869f0d0d5cdee2a73df

SHA512
acda3cc327a84559177a10964dde1295b2a330a280ca6d4d1716ba7b45c83a7ad16e69f51d72fe94b485127d663e8d16c73aad92906444cb579e338dc6b944e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4032412167\2690874625.pri
MD5
d4768595c747f6923c92724f6c46d8d0

SHA1
a71df0353457621ef794c472e176bc44c9e8345a

SHA256
50be96de17b3a35b21e919770036b8caf4e2a5811d587f54db9da02baf2dc8e3

SHA512
3dcb1ed7bb92736f3f38975d21a4209331c1f9f0e2b9158731ca885407aa17634880fea2a02246acdbde93b814b77ade1c617c2b8118fa19a16c6444437ec187

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.cortana_cw5n1h2txyewy\AC\Microsoft\Windows\1601268389\3068621934.pri
MD5
fba8be708969567b482e70d163eff30f

SHA1
1ec5dea44e8367459a32fd5858125caf071cc3dc

SHA256
a7f9a4bfce1c3bc530db06ed1606ba15d09f7dfd99fdf691620b60797acac455

SHA512
34377d606fd72d8165c70b5d653f72f70c12cb04d607bd698ec7cae0ded654e804fccd379645b839925a2e52978afe91dbae19994abce782a5bdc86fa3c08292

Download Submit
C:\Users\Admin\AppData\Local\Temp\WER6DF.tmp.appcompat.txt
MD5
2279d0ac67e8a4efa1182f44770ec170

SHA1
ebda8154960dce76c2b608c6eb35701345b96416

SHA256
f1cfb01d15071ebe46fa364105a34be3466fc4c3dbf3005a442cc4bc1cf42c62

SHA512
3005b6fe44e1784f7ff891df9441a9332eb264a4076c57537b33fc6690909b03c2d11bc5687b2fc72f94bd9b938b65425895bdc4f8e7480dea59488cc48622cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\a60b587f-b361-4a97-94d7-db1f02712717\1713683155.pri
MD5
25d6f880c0ed0e044dd2ccd773f694cd

SHA1
89053c28600e88413188fd721ea7101a42b05082

SHA256
d2e78b24ef2195f43c47b82e5c0623b2464dc0dc69ef50a5abc8365110999806

SHA512
eff68668ae0794fb2750ecab50a2c0f459dc81f8234766e31fd9467702a7f75ff84ca001b8892bb3f37da86df1b9b99e8b5cb0a9d012dcfc8610b5da4e274c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\e940d2c5-1c34-4316-81f4-8985a48c2123\1713683155.pri
MD5
1cbb2014fea6e26e89f31f331767c81e

SHA1
ddb3983560c815b80321e61b68c410f0bdd2f4bd

SHA256
5818c0098e58bf7b6dbe4c2535213e50b39c5356df1142bf5718a8e59ebd5798

SHA512
cf2e04ef30e32764dcf711966c7bb96f1d8a249449964d6e2c48e18d14760072da69e28b2e678fca878a7dd8edcbec0d587f3a2b20c85239b404b9657070d536

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.[1C98C4F5].[makopransom@outlook.com].makop
MD5
0a17ff5de8e08d174ed55a91c737bd18

SHA1
6dd4851dfddb88565ca652cc3e9bf5d2268af2ac

SHA256
ebfbd8b1291532d79b5a61c899c73fef661bd0a353195faa5807bcf25265f611

SHA512
8bc2ca259d639e19558dae87abd46865c6e018564619d11641ee59b3fe6d181da12ce0841fec898242ff57e81daa97d70c54916afcd74dc4c8911550f8816f97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\readme-warning.txt
MD5
fedc6e4006fbfceb0967ddf88f1ad348

SHA1
4d94294e5c2918e410502ebd6cf71e0b4dbdd6e6

SHA256
f5ffb8388a3b741156957f0b7e45321ed41a847880e44b4a9eac28a60001517a

SHA512
640fbb4be0b2aa88a295980c92f1d802ce4e39fdb40393370b21606c3517620e64ebb62dd5ee2e8c694935d6e89e5224d510752a621a748c654b75f509b93a6a

Download Submit
C:\Users\Admin\Desktop\readme-warning.txt
MD5
fedc6e4006fbfceb0967ddf88f1ad348

SHA1
4d94294e5c2918e410502ebd6cf71e0b4dbdd6e6

SHA256
f5ffb8388a3b741156957f0b7e45321ed41a847880e44b4a9eac28a60001517a

SHA512
640fbb4be0b2aa88a295980c92f1d802ce4e39fdb40393370b21606c3517620e64ebb62dd5ee2e8c694935d6e89e5224d510752a621a748c654b75f509b93a6a

Download Submit
C:\Users\All Users\Microsoft\Windows\WER\Temp\WER1C0B.tmp.mdmp
MD5
0e2ec3070e0954270e9b4b2939aed4c3

SHA1
c51047d323fcd636070ddaba9720141891b293c1

SHA256
eb743323750acdc9737851fdb9a04b7a6a65a585d36c90d0d6d3d7d2de315ff2

SHA512
bdb21db79cc13393d9332b40856ccc19e6217cd86b4907c0b6409eb4e433116abf9324b064d6e7a5802305685d2b92247dbf71a3a95756cb1e55085bf00bdf47

Download Submit
C:\Users\All Users\Microsoft\Windows\WER\Temp\WER1F57.tmp.WERInternalMetadata.xml
MD5
4bca455fae58254ec6019001ca5e9491

SHA1
52ec8a1acd472a0702644408c3e9280826b8c91f

SHA256
05ce7790839c2bbb703d880f8fde30a889f15006ff160224e9351e09897fc956

SHA512
d8c1fd8825f729d0976cb58a783deddb73b1379888073010caa385f8c26f679f7000e8a0b7f3b26b42a188712b4a000bef856e23f59b54ee86c6ebf09afbc6ea

Download Submit
C:\Users\All Users\Microsoft\Windows\WER\Temp\WER5E3.tmp.WERInternalMetadata.xml
MD5
fe718700537b6e6f3a4eae7275bf0675

SHA1
84fca99d513607e85ba181ee461597a862b3f4c5

SHA256
246ab4fdca88189bc16c61cc6bcbc5486c69fa135f899dc9fffc5b77d5938002

SHA512
37894d1bae5bcf118641fa6a419d6c6d1ae43083b938de59cea9e4a4c69431c49ef208a12fcac1e3c0a3e35d8acc612f690cb0de37b153173266374e80d9b53b

Download Submit
memory/632-261-0x0000000000000000-mapping.dmp

Download
memory/668-258-0x0000000000000000-mapping.dmp

Download
memory/1876-122-0x000001992FF20000-0x000001992FF22000-memory.dmp

Filesize
8KB

Download
memory/1876-115-0x00007FFD20840000-0x00007FFD20850000-memory.dmp

Filesize
64KB

Download
memory/1876-121-0x00007FFD20840000-0x00007FFD20850000-memory.dmp

Filesize
64KB

Download
memory/1876-120-0x000001992FF20000-0x000001992FF22000-memory.dmp

Filesize
8KB

Download
memory/1876-119-0x000001992FF20000-0x000001992FF22000-memory.dmp

Filesize
8KB

Download
memory/1876-118-0x00007FFD20840000-0x00007FFD20850000-memory.dmp

Filesize
64KB

Download
memory/1876-117-0x00007FFD20840000-0x00007FFD20850000-memory.dmp

Filesize
64KB

Download
memory/1876-116-0x00007FFD20840000-0x00007FFD20850000-memory.dmp

Filesize
64KB

Download
memory/2384-259-0x0000000000000000-mapping.dmp

Download
memory/3344-274-0x0000000000000000-mapping.dmp

Download
memory/3888-260-0x0000000000000000-mapping.dmp

Download