Resubmissions
19-10-2021 14:03
211019-rcwpqsfhg4 1019-10-2021 13:56
211019-q8vxmsfhf4 1015-10-2021 16:42
211015-t719tabbe4 10Analysis
-
max time kernel
138s -
max time network
133s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
19-10-2021 14:03
Static task
static1
Behavioral task
behavioral1
Sample
4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
Resource
win10-en-20210920
General
-
Target
4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
-
Size
42KB
-
MD5
d29a5ac669fd239a2df8a7ba6bad4b75
-
SHA1
b18e00d53474c95fa0720b1720557e4d9a09f161
-
SHA256
4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512
-
SHA512
c1e104375d445d7431fd68d0cb6731e459aa0be5b8495bcdca147d0052aa18e4a1f0817d54e2b72489cc9668772c36d6243f716cf542d48a3514f4fb3060a7b6
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\926737707\readme-warning.txt
makop
makopransom@outlook.com
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 184 created 2812 184 WerFault.exe SearchUI.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 3888 wbadmin.exe -
Modifies Installed Components in the registry 2 TTPs
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\WaitUninstall.tiff 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
explorer.exedescription ioc process File opened (read-only) \??\D: explorer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 64 IoCs
Processes:
4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\de-de\readme-warning.txt 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\illustrations_retina.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\tool-selector.css 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.forms_3.6.100.v20140422-1825.jar 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\themes_frame.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\9434_24x24x32.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailWideTile.scale-125.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\readme-warning.txt 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionMedTile.scale-100.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\OneConnectSmallTile.scale-125.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-fr\ui-strings.js 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pl-pl\ui-strings.js 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\az_get.svg 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense_eula.txt 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\OneConnectMedTile.scale-125.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sv-se\ui-strings.js 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-Bold.otf 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.lucene.core_3.5.0.v20120725-1805.jar 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookMedTile.scale-200.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\readme-warning.txt 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\spider_icon.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\Effects\effects_lobby_none.jpg 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarMediumTile.scale-400.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-sl\ui-strings.js 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\ui-strings.js 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ko-kr\readme-warning.txt 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\de-de\ui-strings.js 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\da-dk\readme-warning.txt 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_zh_CN.jar 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\ECLIPSE.INF 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\vlc.mo 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\Sounds\CrownAppearance.wav 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-40.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\ui-strings.js 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_ja_4.4.0.v20140623020002.jar 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Livetiles\MicrosoftSolitaireLargeTile.scale-100.jpg 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\devil.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\mg_60x42.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_altform-unplated_contrast-black.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\freecell\Alcatraz_Escape_.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sv-se\readme-warning.txt 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\css\readme-warning.txt 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\word.x-none.msi.16.x-none.boot.tree.dat 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\PREVIEW.GIF 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupSmallTile.scale-200.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionMedTile.scale-100.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-250.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-32.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\selector.js 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeNullOrEmpty.Tests.ps1 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\droplets.jpg 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4632_48x48x32.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\en_get.svg 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nb-no\ui-strings.js 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fi-fi\readme-warning.txt 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\generic.Messaging.config 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Beach\mask\1c.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PeopleAppStoreLogo.scale-100.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\tr_60x42.png 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe -
Drops file in Windows directory 12 IoCs
Processes:
ShellExperienceHost.exeexplorer.exeSearchUI.exeSearchUI.exedescription ioc process File created C:\Windows\rescache\_merged\4032412167\2690874625.pri ShellExperienceHost.exe File created C:\Windows\rescache\_merged\2717123927\1713683155.pri ShellExperienceHost.exe File created C:\Windows\rescache\_merged\860799236\4237324420.pri ShellExperienceHost.exe File created C:\Windows\rescache\_merged\1301087654\4010849688.pri ShellExperienceHost.exe File created C:\Windows\rescache\_merged\4032412167\2690874625.pri explorer.exe File created C:\Windows\rescache\_merged\1601268389\3068621934.pri SearchUI.exe File created C:\Windows\rescache\_merged\2717123927\1713683155.pri explorer.exe File created C:\Windows\rescache\_merged\1601268389\3068621934.pri SearchUI.exe File created C:\Windows\rescache\_merged\4183903823\1195458082.pri ShellExperienceHost.exe File created C:\Windows\rescache\_merged\1601268389\3068621934.pri ShellExperienceHost.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri ShellExperienceHost.exe File created C:\Windows\rescache\_merged\4272278488\927794230.pri ShellExperienceHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1320 2872 WerFault.exe 184 2812 WerFault.exe SearchUI.exe -
Checks SCSI registry key(s) 3 TTPs 16 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 7 IoCs
Processes:
EXCEL.EXEWerFault.exeSearchUI.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchUI.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2384 vssadmin.exe -
Modifies registry class 31 IoCs
Processes:
explorer.exeSearchUI.exe4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchUI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" SearchUI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132766168982456120" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e5070a004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000239cbc112cc5d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e5070a004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000d950ae112cc5d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e50709004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc76000000000000000000000000218621db20aed70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" SearchUI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify explorer.exe -
Processes:
4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1876 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exeWerFault.exeWerFault.exepid process 1752 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe 1752 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe 184 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exewbengine.exeWMIC.exeWerFault.exeexplorer.exedescription pid process Token: SeBackupPrivilege 1264 vssvc.exe Token: SeRestorePrivilege 1264 vssvc.exe Token: SeAuditPrivilege 1264 vssvc.exe Token: SeBackupPrivilege 2304 wbengine.exe Token: SeRestorePrivilege 2304 wbengine.exe Token: SeSecurityPrivilege 2304 wbengine.exe Token: SeIncreaseQuotaPrivilege 632 WMIC.exe Token: SeSecurityPrivilege 632 WMIC.exe Token: SeTakeOwnershipPrivilege 632 WMIC.exe Token: SeLoadDriverPrivilege 632 WMIC.exe Token: SeSystemProfilePrivilege 632 WMIC.exe Token: SeSystemtimePrivilege 632 WMIC.exe Token: SeProfSingleProcessPrivilege 632 WMIC.exe Token: SeIncBasePriorityPrivilege 632 WMIC.exe Token: SeCreatePagefilePrivilege 632 WMIC.exe Token: SeBackupPrivilege 632 WMIC.exe Token: SeRestorePrivilege 632 WMIC.exe Token: SeShutdownPrivilege 632 WMIC.exe Token: SeDebugPrivilege 632 WMIC.exe Token: SeSystemEnvironmentPrivilege 632 WMIC.exe Token: SeRemoteShutdownPrivilege 632 WMIC.exe Token: SeUndockPrivilege 632 WMIC.exe Token: SeManageVolumePrivilege 632 WMIC.exe Token: 33 632 WMIC.exe Token: 34 632 WMIC.exe Token: 35 632 WMIC.exe Token: 36 632 WMIC.exe Token: SeIncreaseQuotaPrivilege 632 WMIC.exe Token: SeSecurityPrivilege 632 WMIC.exe Token: SeTakeOwnershipPrivilege 632 WMIC.exe Token: SeLoadDriverPrivilege 632 WMIC.exe Token: SeSystemProfilePrivilege 632 WMIC.exe Token: SeSystemtimePrivilege 632 WMIC.exe Token: SeProfSingleProcessPrivilege 632 WMIC.exe Token: SeIncBasePriorityPrivilege 632 WMIC.exe Token: SeCreatePagefilePrivilege 632 WMIC.exe Token: SeBackupPrivilege 632 WMIC.exe Token: SeRestorePrivilege 632 WMIC.exe Token: SeShutdownPrivilege 632 WMIC.exe Token: SeDebugPrivilege 632 WMIC.exe Token: SeSystemEnvironmentPrivilege 632 WMIC.exe Token: SeRemoteShutdownPrivilege 632 WMIC.exe Token: SeUndockPrivilege 632 WMIC.exe Token: SeManageVolumePrivilege 632 WMIC.exe Token: 33 632 WMIC.exe Token: 34 632 WMIC.exe Token: 35 632 WMIC.exe Token: 36 632 WMIC.exe Token: SeDebugPrivilege 1320 WerFault.exe Token: SeShutdownPrivilege 776 explorer.exe Token: SeCreatePagefilePrivilege 776 explorer.exe Token: SeShutdownPrivilege 776 explorer.exe Token: SeCreatePagefilePrivilege 776 explorer.exe Token: SeShutdownPrivilege 776 explorer.exe Token: SeCreatePagefilePrivilege 776 explorer.exe Token: SeShutdownPrivilege 776 explorer.exe Token: SeCreatePagefilePrivilege 776 explorer.exe Token: SeShutdownPrivilege 776 explorer.exe Token: SeCreatePagefilePrivilege 776 explorer.exe Token: SeShutdownPrivilege 776 explorer.exe Token: SeCreatePagefilePrivilege 776 explorer.exe Token: SeShutdownPrivilege 776 explorer.exe Token: SeCreatePagefilePrivilege 776 explorer.exe Token: SeShutdownPrivilege 776 explorer.exe -
Suspicious use of FindShellTrayWindow 46 IoCs
Processes:
explorer.exepid process 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
explorer.exepid process 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe 776 explorer.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEShellExperienceHost.exeSearchUI.exeSearchUI.exepid process 1876 EXCEL.EXE 1876 EXCEL.EXE 1876 EXCEL.EXE 1876 EXCEL.EXE 1876 EXCEL.EXE 1876 EXCEL.EXE 1876 EXCEL.EXE 1876 EXCEL.EXE 212 ShellExperienceHost.exe 2812 SearchUI.exe 212 ShellExperienceHost.exe 3816 SearchUI.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.execmd.exedescription pid process target process PID 1752 wrote to memory of 668 1752 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe cmd.exe PID 1752 wrote to memory of 668 1752 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe cmd.exe PID 668 wrote to memory of 2384 668 cmd.exe vssadmin.exe PID 668 wrote to memory of 2384 668 cmd.exe vssadmin.exe PID 668 wrote to memory of 3888 668 cmd.exe wbadmin.exe PID 668 wrote to memory of 3888 668 cmd.exe wbadmin.exe PID 668 wrote to memory of 632 668 cmd.exe WMIC.exe PID 668 wrote to memory of 632 668 cmd.exe WMIC.exe PID 1752 wrote to memory of 3344 1752 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe NOTEPAD.EXE PID 1752 wrote to memory of 3344 1752 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe NOTEPAD.EXE PID 1752 wrote to memory of 3344 1752 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe"C:\Users\Admin\AppData\Local\Temp\4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt2⤵
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\RestoreConvertFrom.ods"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2872 -s 26481⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2812 -s 20402⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\7C0DD390-A82C-4DA9-8D4C-A25D3F1BDD63MD5
ac86bad8c7cdf97559d3570da5016664
SHA1dc4e3871f9932c3fd676c5a4a1a76188c2b1126b
SHA256783319dc7e9bd47ad5e82bf609bb56b3f3ed4d225fa6c6d6562ea30280890490
SHA512bac74b8bce7d45c29afc4858a93eb6065283e12e164036233f9a083dee04d46f4bd8d6529eace47fb129c011c799015ac6411449faf57211b858b2ad0cb1d2a9
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xmlMD5
807f6904dece69c1a2a1115f1a5f5645
SHA15a16c41f90f804be23b244fbcef969356b3b56e0
SHA25686e9db5b7c0417260b40a3c69339f0932afb3bcbcb53a13db728048e91d11e6e
SHA5124ea35c824e617edfe8d34d2236b3dc7e9ef12ceca9503d763213b5dd52b19a7c0a91587ecafe8a7bc02a8833c6cb1f5dadf48a9fb41301d2b7b7e4a25452bec7
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.dbMD5
7b3fcacbe6f684e77e37008472c873d6
SHA10985b5bd819de936928361992d9f475b4b52d116
SHA256cb8c95d2823e7dcad01b743c4cb977201e5aa2a068ce6c4803a0b0043b0cae76
SHA5125386070e1c8fa7615c118c17b2c9de5fcc63303335bc6963b34ee6fab392484545f18860abeb8122432369287d730a8ea0dc6f56cb6b47c7e89af39f19a16ee5
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-walMD5
1b68d531e237e92c8533c7315078f496
SHA142da423a43618667ecda9407e4593982f654a09a
SHA25638de45714e94c3584ce75f0eaed6472b4e92ec157a185609a9966c95930151f8
SHA5126dfc9fbf0f0556778fea23e2e009624dd362256628e22653dbfdad5c5ecbef621ea1da4fe76d1ae0f230e16d2045269aad322f93e1928fb34e095022524acd7e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.3.dbMD5
ba5ea2a2900a9634cc74f8b7c8ecd959
SHA1c209140f406b21e4fe67dd418365fe8944160deb
SHA256fbac95c49939c92629133f8dc361e360b62047c21b6d049c606b92559367457c
SHA512c6996f97d1348efd5bbc8a531b21e3f9685a52469cfd46e4e429f60f88ce7ac58dfbf1860838261fc8791885228676e9ad832a207fe8c47d0aa5db93da22f2f2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001d.db.[1C98C4F5].[makopransom@outlook.com].makopMD5
b3e3ec1ac02ef73e8ca09f2549721b95
SHA1b180f0f5eccaf140431f9eade364b6e9d8a7d33c
SHA256afed76f6c8de035eac3defb4627448d0b782ab031252a4cc46220bf060ba6ee4
SHA512a7e4677f0c47215ada05f904da11f997aa228703d37b9db7f0dc7cfca21514acb957d23c0ceafc7ac4b0390299c0adc9c94faa566f56137d5b5e095a8e7f251c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001e.dbMD5
ebcf310b25de8984c4cdf945c7848889
SHA198963e066cf28c18aac713871cb95e54a3ec6c71
SHA2560cd433b0075a4e3285bdd184c3686647ca8dc9dc006f4869f0d0d5cdee2a73df
SHA512acda3cc327a84559177a10964dde1295b2a330a280ca6d4d1716ba7b45c83a7ad16e69f51d72fe94b485127d663e8d16c73aad92906444cb579e338dc6b944e6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4032412167\2690874625.priMD5
d4768595c747f6923c92724f6c46d8d0
SHA1a71df0353457621ef794c472e176bc44c9e8345a
SHA25650be96de17b3a35b21e919770036b8caf4e2a5811d587f54db9da02baf2dc8e3
SHA5123dcb1ed7bb92736f3f38975d21a4209331c1f9f0e2b9158731ca885407aa17634880fea2a02246acdbde93b814b77ade1c617c2b8118fa19a16c6444437ec187
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.cortana_cw5n1h2txyewy\AC\Microsoft\Windows\1601268389\3068621934.priMD5
fba8be708969567b482e70d163eff30f
SHA11ec5dea44e8367459a32fd5858125caf071cc3dc
SHA256a7f9a4bfce1c3bc530db06ed1606ba15d09f7dfd99fdf691620b60797acac455
SHA51234377d606fd72d8165c70b5d653f72f70c12cb04d607bd698ec7cae0ded654e804fccd379645b839925a2e52978afe91dbae19994abce782a5bdc86fa3c08292
-
C:\Users\Admin\AppData\Local\Temp\WER6DF.tmp.appcompat.txtMD5
2279d0ac67e8a4efa1182f44770ec170
SHA1ebda8154960dce76c2b608c6eb35701345b96416
SHA256f1cfb01d15071ebe46fa364105a34be3466fc4c3dbf3005a442cc4bc1cf42c62
SHA5123005b6fe44e1784f7ff891df9441a9332eb264a4076c57537b33fc6690909b03c2d11bc5687b2fc72f94bd9b938b65425895bdc4f8e7480dea59488cc48622cf
-
C:\Users\Admin\AppData\Local\Temp\a60b587f-b361-4a97-94d7-db1f02712717\1713683155.priMD5
25d6f880c0ed0e044dd2ccd773f694cd
SHA189053c28600e88413188fd721ea7101a42b05082
SHA256d2e78b24ef2195f43c47b82e5c0623b2464dc0dc69ef50a5abc8365110999806
SHA512eff68668ae0794fb2750ecab50a2c0f459dc81f8234766e31fd9467702a7f75ff84ca001b8892bb3f37da86df1b9b99e8b5cb0a9d012dcfc8610b5da4e274c19
-
C:\Users\Admin\AppData\Local\Temp\e940d2c5-1c34-4316-81f4-8985a48c2123\1713683155.priMD5
1cbb2014fea6e26e89f31f331767c81e
SHA1ddb3983560c815b80321e61b68c410f0bdd2f4bd
SHA2565818c0098e58bf7b6dbe4c2535213e50b39c5356df1142bf5718a8e59ebd5798
SHA512cf2e04ef30e32764dcf711966c7bb96f1d8a249449964d6e2c48e18d14760072da69e28b2e678fca878a7dd8edcbec0d587f3a2b20c85239b404b9657070d536
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.[1C98C4F5].[makopransom@outlook.com].makopMD5
0a17ff5de8e08d174ed55a91c737bd18
SHA16dd4851dfddb88565ca652cc3e9bf5d2268af2ac
SHA256ebfbd8b1291532d79b5a61c899c73fef661bd0a353195faa5807bcf25265f611
SHA5128bc2ca259d639e19558dae87abd46865c6e018564619d11641ee59b3fe6d181da12ce0841fec898242ff57e81daa97d70c54916afcd74dc4c8911550f8816f97
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\readme-warning.txtMD5
fedc6e4006fbfceb0967ddf88f1ad348
SHA14d94294e5c2918e410502ebd6cf71e0b4dbdd6e6
SHA256f5ffb8388a3b741156957f0b7e45321ed41a847880e44b4a9eac28a60001517a
SHA512640fbb4be0b2aa88a295980c92f1d802ce4e39fdb40393370b21606c3517620e64ebb62dd5ee2e8c694935d6e89e5224d510752a621a748c654b75f509b93a6a
-
C:\Users\Admin\Desktop\readme-warning.txtMD5
fedc6e4006fbfceb0967ddf88f1ad348
SHA14d94294e5c2918e410502ebd6cf71e0b4dbdd6e6
SHA256f5ffb8388a3b741156957f0b7e45321ed41a847880e44b4a9eac28a60001517a
SHA512640fbb4be0b2aa88a295980c92f1d802ce4e39fdb40393370b21606c3517620e64ebb62dd5ee2e8c694935d6e89e5224d510752a621a748c654b75f509b93a6a
-
C:\Users\All Users\Microsoft\Windows\WER\Temp\WER1C0B.tmp.mdmpMD5
0e2ec3070e0954270e9b4b2939aed4c3
SHA1c51047d323fcd636070ddaba9720141891b293c1
SHA256eb743323750acdc9737851fdb9a04b7a6a65a585d36c90d0d6d3d7d2de315ff2
SHA512bdb21db79cc13393d9332b40856ccc19e6217cd86b4907c0b6409eb4e433116abf9324b064d6e7a5802305685d2b92247dbf71a3a95756cb1e55085bf00bdf47
-
C:\Users\All Users\Microsoft\Windows\WER\Temp\WER1F57.tmp.WERInternalMetadata.xmlMD5
4bca455fae58254ec6019001ca5e9491
SHA152ec8a1acd472a0702644408c3e9280826b8c91f
SHA25605ce7790839c2bbb703d880f8fde30a889f15006ff160224e9351e09897fc956
SHA512d8c1fd8825f729d0976cb58a783deddb73b1379888073010caa385f8c26f679f7000e8a0b7f3b26b42a188712b4a000bef856e23f59b54ee86c6ebf09afbc6ea
-
C:\Users\All Users\Microsoft\Windows\WER\Temp\WER5E3.tmp.WERInternalMetadata.xmlMD5
fe718700537b6e6f3a4eae7275bf0675
SHA184fca99d513607e85ba181ee461597a862b3f4c5
SHA256246ab4fdca88189bc16c61cc6bcbc5486c69fa135f899dc9fffc5b77d5938002
SHA51237894d1bae5bcf118641fa6a419d6c6d1ae43083b938de59cea9e4a4c69431c49ef208a12fcac1e3c0a3e35d8acc612f690cb0de37b153173266374e80d9b53b
-
memory/632-261-0x0000000000000000-mapping.dmp
-
memory/668-258-0x0000000000000000-mapping.dmp
-
memory/1876-122-0x000001992FF20000-0x000001992FF22000-memory.dmpFilesize
8KB
-
memory/1876-115-0x00007FFD20840000-0x00007FFD20850000-memory.dmpFilesize
64KB
-
memory/1876-121-0x00007FFD20840000-0x00007FFD20850000-memory.dmpFilesize
64KB
-
memory/1876-120-0x000001992FF20000-0x000001992FF22000-memory.dmpFilesize
8KB
-
memory/1876-119-0x000001992FF20000-0x000001992FF22000-memory.dmpFilesize
8KB
-
memory/1876-118-0x00007FFD20840000-0x00007FFD20850000-memory.dmpFilesize
64KB
-
memory/1876-117-0x00007FFD20840000-0x00007FFD20850000-memory.dmpFilesize
64KB
-
memory/1876-116-0x00007FFD20840000-0x00007FFD20850000-memory.dmpFilesize
64KB
-
memory/2384-259-0x0000000000000000-mapping.dmp
-
memory/3344-274-0x0000000000000000-mapping.dmp
-
memory/3888-260-0x0000000000000000-mapping.dmp