asyncrat | e03df762bb062c44aa98d703fb59acf42d886e1b29e7ca0e0300a0f9280ed64a

Processes:

explorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Drops file in Drivers directory 2 IoCs

Processes:

Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\gmreadme.txt.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

cmd.exeHEUR-Trojan-Ransom.MSIL.Spora.gen-08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exeHEUR-Trojan-Ransom.MSIL.Crusis.gen-cab9a80193d8de8880695ff176379cc4e3378a3f0bc901a973c8d2cf419ed920.exewmisecure64.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Spora.gen-08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.MSIL.Crusis.gen-cab9a80193d8de8880695ff176379cc4e3378a3f0bc901a973c8d2cf419ed920.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wmisecure64.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004
Deletes itself 1 IoCs

Processes:

Trojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exe

pid process

5356 Trojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exe

Drops startup file 17 IoCs

Processes:

HEUR-Trojan-Ransom.MSIL.Spora.gen-08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe2.exe3.exetaskmgr.exe1.exeTrojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe	HEUR-Trojan-Ransom.MSIL.Spora.gen-08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DesktopExplorer.exe	2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe	3.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\desktopexplorer.exe.enc	taskmgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe	HEUR-Trojan-Ransom.MSIL.Spora.gen-08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSbuild.exe	1.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\msbuild.exe	taskmgr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DesktopExplorer.exe.enc	Trojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\msbuild.exe.enc	taskmgr.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\desktopexplorer.exe	taskmgr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.enc	Trojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\desktop.ini.enc	taskmgr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSbuild.exe.enc	Trojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DesktopExplorer.exe	2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSbuild.exe	1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe.enc	Trojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\microsoftexplorer.exe.enc	taskmgr.exe

Executes dropped EXE 30 IoCs

Processes:

HEUR-Trojan-Ransom.MSIL.Blocker.gen-9719af69674f28958a71bcb0ac15c42f2b512eec759d70b0a6cc70811dcd4efb.exeHEUR-Trojan-Ransom.MSIL.Crusis.gen-cab9a80193d8de8880695ff176379cc4e3378a3f0bc901a973c8d2cf419ed920.exeHEUR-Trojan-Ransom.MSIL.Spora.gen-08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-d25a49887f13b5addc9697fde203dd80c306a9ca7f05b2d8e9fcd7a5e5b2b899.exeHEUR-Trojan-Ransom.Win32.GandCrypt.gen-1bc42d80ecc9175d0ba4e0a8c394956d3111bf2ab7439d88380de3219394e9da.exeHEUR-Trojan-Ransom.Win32.Generic-ee2e4aa25d60b1dae3d55608d5c902979fc78c72d21e3de30a9736c9cdc83f41.exeHEUR-Trojan-Ransom.Win32.Haka.vho-215eaa198c532599bc17be38c8e8e626311b038246825f7d01d130a47664c4b3.exemore files.exewmiintegrator.exewmihostwin.exeTrojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exewmimic.exewmisecure64.exewmisecure.exeTrojan-Ransom.Win32.Blocker.iwia-a26158b8cc1468d3e001a38142c99b747796db3bfd581171bae02ba1851cd122.exeTrojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exeTrojan-Ransom.Win32.Cryptor.drc-2371e34ce5fb3b6017ec3dbbbde49f068d0e0d86ef9f1aed25427d0ca2b5f59f.exeTrojan-Ransom.Win32.Foreign.myji-be448df866a7477e64836dd44a38823f60c4db38f6421f25161a573546ec0cef.exeHEUR-Trojan-Ransom.MSIL.Spora.gen-08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exeVHO-Trojan-Ransom.Win32.Blocker.gen-cab8be7e77b689a5181d37ecd7d25ad629f5d609abf021bf3f556d61921d28d9.exeVHO-Trojan-Ransom.Win32.Crypmodadv.gen-3dbc9fc4a183ffed4025e9a8eb85cead96e2378776bab6aa8c0654b2c44ecb5f.exe1.exe2.exe3.exe1.exe2.exe2.exe3.exeosign.exeAddInProcess32.exe

pid	process
1584	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9719af69674f28958a71bcb0ac15c42f2b512eec759d70b0a6cc70811dcd4efb.exe
2140	HEUR-Trojan-Ransom.MSIL.Crusis.gen-cab9a80193d8de8880695ff176379cc4e3378a3f0bc901a973c8d2cf419ed920.exe
2976	HEUR-Trojan-Ransom.MSIL.Spora.gen-08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
2632	HEUR-Trojan-Ransom.Win32.Blocker.gen-d25a49887f13b5addc9697fde203dd80c306a9ca7f05b2d8e9fcd7a5e5b2b899.exe
3352	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-1bc42d80ecc9175d0ba4e0a8c394956d3111bf2ab7439d88380de3219394e9da.exe
3136	HEUR-Trojan-Ransom.Win32.Generic-ee2e4aa25d60b1dae3d55608d5c902979fc78c72d21e3de30a9736c9cdc83f41.exe
3784	HEUR-Trojan-Ransom.Win32.Haka.vho-215eaa198c532599bc17be38c8e8e626311b038246825f7d01d130a47664c4b3.exe
2964	more files.exe
212	wmiintegrator.exe
5280	wmihostwin.exe
5356	Trojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exe
5376	wmimic.exe
5484	wmisecure64.exe
5460	wmisecure.exe
5664	Trojan-Ransom.Win32.Blocker.iwia-a26158b8cc1468d3e001a38142c99b747796db3bfd581171bae02ba1851cd122.exe
5832	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
3004	Trojan-Ransom.Win32.Cryptor.drc-2371e34ce5fb3b6017ec3dbbbde49f068d0e0d86ef9f1aed25427d0ca2b5f59f.exe
1172	Trojan-Ransom.Win32.Foreign.myji-be448df866a7477e64836dd44a38823f60c4db38f6421f25161a573546ec0cef.exe
5312	HEUR-Trojan-Ransom.MSIL.Spora.gen-08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
2512	VHO-Trojan-Ransom.Win32.Blocker.gen-cab8be7e77b689a5181d37ecd7d25ad629f5d609abf021bf3f556d61921d28d9.exe
5716	VHO-Trojan-Ransom.Win32.Crypmodadv.gen-3dbc9fc4a183ffed4025e9a8eb85cead96e2378776bab6aa8c0654b2c44ecb5f.exe
5928	1.exe
3432	2.exe
476	3.exe
412	1.exe
2616	2.exe
4220	2.exe
5260	3.exe
4800	osign.exe
5648	AddInProcess32.exe

Loads dropped DLL 2 IoCs

Processes:

HEUR-Trojan-Ransom.MSIL.Crusis.gen-cab9a80193d8de8880695ff176379cc4e3378a3f0bc901a973c8d2cf419ed920.exeosign.exe

pid process

2140 HEUR-Trojan-Ransom.MSIL.Crusis.gen-cab9a80193d8de8880695ff176379cc4e3378a3f0bc901a973c8d2cf419ed920.exe
4800 osign.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 66.70.228.164
Destination IP 51.254.25.115
Destination IP 149.56.184.112
Destination IP 66.70.228.164
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

pid	process
2140	HEUR-Trojan-Ransom.MSIL.Crusis.gen-cab9a80193d8de8880695ff176379cc4e3378a3f0bc901a973c8d2cf419ed920.exe
4800	osign.exe

description	ioc
Destination IP	66.70.228.164
Destination IP	51.254.25.115
Destination IP	149.56.184.112
Destination IP	66.70.228.164

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

AddInProcess32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	AddInProcess32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	AddInProcess32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	AddInProcess32.exe

Adds Run key to start application 2 TTPs 25 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-9719af69674f28958a71bcb0ac15c42f2b512eec759d70b0a6cc70811dcd4efb.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sobm = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\osign.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\svchost.exe"	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9719af69674f28958a71bcb0ac15c42f2b512eec759d70b0a6cc70811dcd4efb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

explorer.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Drops file in System32 directory 64 IoCs

Processes:

Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Licenses\neutral\_Default\Professional\de-license.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File opened for modification	C:\Windows\SysWOW64\@EnrollmentToastIcon.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\Professional\license.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\Professional\license.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SysWOW64\uk-UA\Licenses\_Default\Professional\license.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Professional\license.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SysWOW64\en-US\lipeula.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.ppt.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe.config.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\Professional\license.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SysWOW64\de-DE\lpeula.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SysWOW64\uk-UA\Licenses\Volume\Professional\license.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\OEM\Professional\license.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\Professional\license.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\lipeula.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\Professional\license.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\Professional\license.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File opened for modification	C:\Windows\SysWOW64\@AudioToastIcon.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File opened for modification	C:\Windows\SysWOW64\DefaultAccountTile.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File opened for modification	C:\Windows\SysWOW64\uk-UA\lipeula.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\Professional\license.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\Professional\license.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SysWOW64\Licenses\neutral\OEM\Professional\de-license.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SysWOW64\Licenses\neutral\Volume\Professional\license.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SysWOW64\SecurityAndMaintenance_Error.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Professional\license.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File opened for modification	C:\Windows\SysWOW64\uk-UA\Licenses\_Default\Professional\license.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe.config.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\Volume\Professional\license.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SysWOW64\it-IT\lpeula.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SysWOW64\WindowsCodecsRaw.txt.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\OEM\Professional\license.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\lipeula.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\lpeula.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SysWOW64\de-DE\lipeula.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\lpeula.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File opened for modification	C:\Windows\SysWOW64\Licenses\neutral\OEM\Professional\license.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File opened for modification	C:\Windows\SysWOW64\uk-UA\Licenses\Volume\Professional\license.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SysWOW64\@EnrollmentToastIcon.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File opened for modification	C:\Windows\SysWOW64\@AppHelpToast.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\OEM\Professional\license.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File opened for modification	C:\Windows\SysWOW64\en-US\lipeula.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File opened for modification	C:\Windows\SysWOW64\en-US\lpeula.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\_Default\Professional\license.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SysWOW64\@AppHelpToast.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\Volume\Professional\license.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SysWOW64\fr-FR\lipeula.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SysWOW64\ja-JP\lipeula.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\lipeula.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File opened for modification	C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.ppt.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File opened for modification	C:\Windows\SysWOW64\SecurityAndMaintenance_Error.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SysWOW64\@AudioToastIcon.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\Volume\Professional\license.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\Professional\license.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File opened for modification	C:\Windows\SysWOW64\@VpnToastIcon.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\_Default\Professional\license.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\lpeula.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

Processes:

Trojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exe

pid	process
5356	Trojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exe
5356	Trojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exe
5356	Trojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exe
5356	Trojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exe
5356	Trojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exe
5356	Trojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exe
5356	Trojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exe
5356	Trojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exe
5356	Trojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exe
5356	Trojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exe
5356	Trojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exe
5356	Trojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exe
5356	Trojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

HEUR-Trojan-Ransom.MSIL.Blocker.gen-9719af69674f28958a71bcb0ac15c42f2b512eec759d70b0a6cc70811dcd4efb.exeHEUR-Trojan-Ransom.MSIL.Spora.gen-08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe1.exe2.exe3.exeosign.exe

description	pid	process	target process
PID 1584 set thread context of 5640	1584	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9719af69674f28958a71bcb0ac15c42f2b512eec759d70b0a6cc70811dcd4efb.exe	vbc.exe
PID 2976 set thread context of 5312	2976	HEUR-Trojan-Ransom.MSIL.Spora.gen-08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe	HEUR-Trojan-Ransom.MSIL.Spora.gen-08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 5928 set thread context of 412	5928	1.exe	1.exe
PID 3432 set thread context of 4220	3432	2.exe	2.exe
PID 476 set thread context of 5260	476	3.exe	3.exe
PID 4800 set thread context of 5648	4800	osign.exe	AddInProcess32.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\00391\HEUR-Trojan-Ransom.Win32.Haka.vho-215eaa198c532599bc17be38c8e8e626311b038246825f7d01d130a47664c4b3.exe	upx
behavioral1/memory/3784-101-0x0000000000800000-0x0000000000995000-memory.dmp	upx
behavioral1/memory/3784-478-0x0000000000800000-0x0000000000995000-memory.dmp	upx
behavioral1/memory/3784-6059-0x0000000000800000-0x0000000000995000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe

description	ioc	process
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-256.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-20.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-24.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSplashLogo.scale-100.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_CarReservation_Light.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\ui-strings.js.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-125_contrast-white.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\WideTile.scale-125.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\de-de\ui-strings.js.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerWideTile.contrast-white_scale-100.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailMediumTile.scale-200.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-32.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\plugin.js.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ca-es\ui-strings.js.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\or.pak.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-moreimages.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_altform-unplated_contrast-black.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailLargeTile.scale-125.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\LargeTile.scale-200.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_contrast-black.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-32.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-200.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-72.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\index_poster.jpg.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Light.pdf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\TriPeaks.Large.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteSmallTile.scale-200.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\SmallTile.scale-200.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluEmptyStateCCFiles_280x192.svg.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\editpdf-tool-view.js.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pt-br\ui-strings.js.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\SmartSelect\Magic_Select_crop_handles.mp4.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Call_Ringing_Long.m4a.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected]	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\es-es\ui-strings.js.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-48_altform-lightunplated.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-32.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\convertpdf-tool-view.js.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\root\ui-strings.js.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\css\main.css.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_altform-unplated_contrast-black.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\SmallTile.scale-200.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ar-ae\ui-strings.js.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ko.pak.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleAppAssets\Videos\people_fre_motionAsset_p3.mp4.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_download_18.svg.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-32_contrast-black.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorWideTile.contrast-white_scale-200.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Google.scale-400.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_contrast-white.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\ImagePlaceholder.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageWideTile.scale-125.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-125.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StopwatchMedTile.contrast-white_scale-100.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-125.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageWideTile.scale-100.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\LockScreenLogo.scale-200.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_contrast-black.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\MedTile.scale-100.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nb-no\ui-strings.js.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageWideTile.scale-100_contrast-black.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe

Drops file in Windows directory 64 IoCs

Processes:

Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe

description	ioc	process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.1266_none_fb76f6fb7e78a373\InputApp\InputApp\Assets\BadgeLogo.scale-125.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..-coreinkrecognition_31bf3856ad364e35_10.0.19041.746_none_d5e636c38e22b9d4\ThirdPartyNotices.MSHWLatin.txt.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ApplicationGuard\LearnMore.html.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\InputApp\Assets\SquareLogo310x310.scale-400.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ui-search_31bf3856ad364e35_10.0.19041.746_none_d30a83ff81d13ba6\logo.contrast-black_scale-80.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-x..jectdialog.appxmain_31bf3856ad364e35_10.0.19041.1_none_b1240cd13c584c1c\SquareTile310x150.scale-400.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1_none_97b0a47239f6db64\PeopleLogo.targetsize-64_altform-unplated_contrast-black.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell (x86).lnk.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobeoutro-main.html.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\appFrame.js.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-white\SmallTile.scale-400.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\ProvisionedCertificates.svg.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\es\SqlPersistenceService_Schema.sql.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\debugger\images\stepInto.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\pdferrorneedcontentlocally.html.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\policy.js.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-management-oobe_31bf3856ad364e35_10.0.19041.1266_none_e6ebbe2a02425392\mdmbootstrapsessionutilities.js.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-management-oobe_31bf3856ad364e35_10.0.19041.207_none_504b6becabbef9fe\oobeenterpriseprovisioning-vm.js.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.19041.1_none_43fe9f4e368e081f\15.txt.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_10.0.19041.1_en-us_81f80a2d752be55c\default.help.txt.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\ImmersiveControlPanel\images\TileSmall.scale-125.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\SlickGrid\slick.core.js.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\js\navigator.js.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\x86_netfx4-legacy_web_minimaltrust_config_b03f5f7f11d50a3a_4.0.15805.0_none_6e012ad32f64ae2a\legacy.web_minimaltrust.config.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-l..efault-professional_31bf3856ad364e35_10.0.19041.1288_none_0fb30e7d925e4d06\f\de-license.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Code\ProvidersPage.cs.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\RetailDemo\retailDemoShutdowns.js.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_e149786fa07e68ce\lpeula.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.844_none_d9eb415c5b9dbe4e\Square71x71Logo.scale-100.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\slick.grid.js.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ui-shellcommon-core_31bf3856ad364e35_10.0.19041.1_none_91b1f58702057373\NearShare.contrast-white_scale-100.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\x86_netfx4-aspnet_webevent_sqlprov_b03f5f7f11d50a3a_4.0.15805.0_none_759b86bfc3994189\UninstallWebEventSqlProvider.sql.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\pdferrorquitapplicationguard.html.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.84_none_24f8aafdaceaf0b5\square150x150logo.scale-125.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.844_none_d9eb415c5b9dbe4e\BadgeLogo.contrast-white_scale-100.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.173_none_6486f23c2831aaf3\InputApp\InputApp\Assets\BadgeLogo.scale-150.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\BreadcrumbScrollLeftHover.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\functionIcon.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..honyinteractiveuser_31bf3856ad364e35_10.0.19041.264_none_a61d15efb6291d40\YourPhoneCallingToast.scale-400_contrast-black.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\NarratorUWPSplashScreen.scale-125_contrast-black.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\NarratorUWPSquare44x44Logo.targetsize-80.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_netfx4-aspnet_webadmin_code_b03f5f7f11d50a3a_4.0.15805.0_none_609a9e92187a15f4\WebAdminPage.cs.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\retailDemoShared.js.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.1_none_b1e502c19c2a358b\Square310x310Logo.contrast-black_scale-150.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\MicrosoftEdgeSquare44x44.scale-400.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\NarratorUWPSquare44x44Logo.targetsize-32_altform-unplated_contrast-white.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1202_none_8f7e37524c3e1a13\wide.AppsRtl.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ui-shell-component_31bf3856ad364e35_10.0.19041.746_none_2b9acc2d69574796\Icon_MMXresume.contrast-white_scale-125.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_de-de_0e7141475153fd0f\license.rtf.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.746_none_0b4ed891dd9ccbc8\Splashscreen.scale-125_contrast-white.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-usertiles-client_31bf3856ad364e35_10.0.19041.1_none_df86f0e7b84bf07b\user-48.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\msbuild.exe.config.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1202_none_8f7e37524c3e1a13\splashscreen.scale-125.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.964_none_90d24b203cdf4e96\Square150x150Logo.scale-400.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-fileexplorer.appxmain_31bf3856ad364e35_10.0.19041.546_none_476476bb5c3a0bbc\SquareTile44x44.targetsize-48_altform-lightunplated_devicefamily-colorfulunplated.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\sliderButton.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\wow64_netfx4clientcorecomp.resources_31bf3856ad364e35_10.0.15805.0_it-it_0d9052e350483924\SqlWorkflowInstanceStoreSchema.sql.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\returnValue.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d1f435fdf91e63d5\TridentErrorPageStyles.css.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_netfx4-web_hightrust_config_b03f5f7f11d50a3a_4.0.15805.0_none_bf40df7b1e70810f\web_hightrust.config.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\SystemResources\Windows.UI.AccountsControl\Images\Generic.Theme-Light_Scale-300.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobe-surface.css.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\Divider.css.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..okerplugin.appxmain_31bf3856ad364e35_10.0.19041.1_none_11b2da2074e7d6e4\StoreLogo.scale-100.png.lockz	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5256	3352	WerFault.exe	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-1bc42d80ecc9175d0ba4e0a8c394956d3111bf2ab7439d88380de3219394e9da.exe
5772	5664	WerFault.exe	Trojan-Ransom.Win32.Blocker.iwia-a26158b8cc1468d3e001a38142c99b747796db3bfd581171bae02ba1851cd122.exe
872	1172	WerFault.exe	Trojan-Ransom.Win32.Foreign.myji-be448df866a7477e64836dd44a38823f60c4db38f6421f25161a573546ec0cef.exe
4068	5260	WerFault.exe	3.exe

System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

HEUR-Trojan-Ransom.MSIL.Blocker.gen-9719af69674f28958a71bcb0ac15c42f2b512eec759d70b0a6cc70811dcd4efb.exereg.exereg.exewmiintegrator.exereg.exereg.exeHEUR-Trojan-Ransom.Win32.GandCrypt.gen-1bc42d80ecc9175d0ba4e0a8c394956d3111bf2ab7439d88380de3219394e9da.exewmihostwin.exeTrojan-Ransom.Win32.Foreign.myji-be448df866a7477e64836dd44a38823f60c4db38f6421f25161a573546ec0cef.exereg.exereg.exeHEUR-Trojan-Ransom.MSIL.Crusis.gen-cab9a80193d8de8880695ff176379cc4e3378a3f0bc901a973c8d2cf419ed920.exeTrojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-d25a49887f13b5addc9697fde203dd80c306a9ca7f05b2d8e9fcd7a5e5b2b899.exewmisecure64.exe3.exereg.exereg.exemore files.exereg.exeosign.exereg.exeVHO-Trojan-Ransom.Win32.Crypmodadv.gen-3dbc9fc4a183ffed4025e9a8eb85cead96e2378776bab6aa8c0654b2c44ecb5f.exe2.execmd.exereg.exevbc.exe2.exereg.exereg.exereg.exereg.exewmimic.exeTrojan-Ransom.Win32.Blocker.iwia-a26158b8cc1468d3e001a38142c99b747796db3bfd581171bae02ba1851cd122.exeTrojan-Ransom.Win32.Cryptor.drc-2371e34ce5fb3b6017ec3dbbbde49f068d0e0d86ef9f1aed25427d0ca2b5f59f.exereg.exereg.exereg.exeHEUR-Trojan-Ransom.MSIL.Spora.gen-08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exereg.exe1.exereg.exe1.exereg.exereg.exeHEUR-Trojan-Ransom.Win32.Haka.vho-215eaa198c532599bc17be38c8e8e626311b038246825f7d01d130a47664c4b3.exewmisecure.exeHEUR-Trojan-Ransom.MSIL.Spora.gen-08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exereg.exereg.exeHEUR-Trojan-Ransom.Win32.Generic-ee2e4aa25d60b1dae3d55608d5c902979fc78c72d21e3de30a9736c9cdc83f41.exeTrojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exeVHO-Trojan-Ransom.Win32.Blocker.gen-cab8be7e77b689a5181d37ecd7d25ad629f5d609abf021bf3f556d61921d28d9.exe3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9719af69674f28958a71bcb0ac15c42f2b512eec759d70b0a6cc70811dcd4efb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmiintegrator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-1bc42d80ecc9175d0ba4e0a8c394956d3111bf2ab7439d88380de3219394e9da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmihostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Foreign.myji-be448df866a7477e64836dd44a38823f60c4db38f6421f25161a573546ec0cef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Crusis.gen-cab9a80193d8de8880695ff176379cc4e3378a3f0bc901a973c8d2cf419ed920.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Blocker.gen-d25a49887f13b5addc9697fde203dd80c306a9ca7f05b2d8e9fcd7a5e5b2b899.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisecure64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more files.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	osign.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VHO-Trojan-Ransom.Win32.Crypmodadv.gen-3dbc9fc4a183ffed4025e9a8eb85cead96e2378776bab6aa8c0654b2c44ecb5f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmimic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.iwia-a26158b8cc1468d3e001a38142c99b747796db3bfd581171bae02ba1851cd122.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Cryptor.drc-2371e34ce5fb3b6017ec3dbbbde49f068d0e0d86ef9f1aed25427d0ca2b5f59f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Spora.gen-08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Haka.vho-215eaa198c532599bc17be38c8e8e626311b038246825f7d01d130a47664c4b3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmisecure.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Spora.gen-08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-ee2e4aa25d60b1dae3d55608d5c902979fc78c72d21e3de30a9736c9cdc83f41.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VHO-Trojan-Ransom.Win32.Blocker.gen-cab8be7e77b689a5181d37ecd7d25ad629f5d609abf021bf3f556d61921d28d9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

explorer.exeexplorer.exetaskmgr.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

Processes:

SearchApp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

Processes:

SearchApp.exeexplorer.exeexplorer.exeStartMenuExperienceHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\VoiceActivation_HW_fr-FR.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SW"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{E164F996-FF93-4675-BDD8-6C47AB0B86B1}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR en-US Lookup Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Ayumi"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{0B3398EA-00F1-418b-AA31-6F2F9BE5809B}"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1031-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\r1036sr.lxa"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4050598569-1597076380-177084960-1000\{A5741DE6-400D-4CDA-87D7-151F37C4D2DE}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR es-ES Lookup Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR it-IT Locale Handler"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; computer=NativeSupported; address=NativeSupported; currency=NativeSupported; message=NativeSupported; url=NativeSupported; alphanumeric=NativeSupported"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR ja-JP Lts Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\MSTTSLocjaJP.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; address=NativeSupported; message=NativeSupported; url=NativeSupported; currency=NativeSupported; alphanumeric=NativeSupported"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{81218F10-A8AA-44C4-9436-33A42C3852E9}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{15E16AEC-F2F0-4E52-B0DF-029D11E58E4B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1040-110-WINMO-DNN"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech Recognition Engine - de-DE Embedded DNN v11.1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Male"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\MSTTSLocesES.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Laura"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\es-ES\\VoiceActivation_es-ES.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\L1041"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "CC"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1033"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Pablo"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Cosimo - Italian (Italy)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "804"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L3082"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-3082-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Cosimo"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\r1041sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Vous avez sélectionné %1 comme voix par défaut."	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{06405088-BC01-4E08-B392-5303E75090C8}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\de-DE\\sidubm.table"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR es-ES Lts Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Japanese (Japan)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "40C"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "en-US"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\MSTTSLocenUS.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_en-US.dat.prev"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\r3082sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\fr-FR\\M1036Hortense"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\r1040sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\it-IT\\VoiceActivation_it-IT.dat"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "411"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Zira"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\L1040"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\ja-JP\\sidubm.table"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Helena - Spanish (Spain)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\c1036.fe"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1036-110-WINMO-DNN"	SearchApp.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

564 NOTEPAD.EXE

pid	process
564	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exetaskmgr.exepowershell.exe

pid	process
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
4128	powershell.exe
4128	powershell.exe
4128	powershell.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

7zFM.exetaskmgr.exe2.exe

pid process

3308 7zFM.exe
2100 taskmgr.exe
4220 2.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

HEUR-Trojan-Ransom.MSIL.Blocker.gen-9719af69674f28958a71bcb0ac15c42f2b512eec759d70b0a6cc70811dcd4efb.exe

pid process

1584 HEUR-Trojan-Ransom.MSIL.Blocker.gen-9719af69674f28958a71bcb0ac15c42f2b512eec759d70b0a6cc70811dcd4efb.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exetaskmgr.exetaskmgr.exepowershell.exeHEUR-Trojan-Ransom.MSIL.Spora.gen-08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exeHEUR-Trojan-Ransom.MSIL.Crusis.gen-cab9a80193d8de8880695ff176379cc4e3378a3f0bc901a973c8d2cf419ed920.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-9719af69674f28958a71bcb0ac15c42f2b512eec759d70b0a6cc70811dcd4efb.exe1.exe3.exe2.exe2.exevbc.exeosign.exeTrojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exeexplorer.exeexplorer.exe

description	pid	process
Token: SeRestorePrivilege	3308	7zFM.exe
Token: 35	3308	7zFM.exe
Token: SeSecurityPrivilege	3308	7zFM.exe
Token: SeDebugPrivilege	1784	taskmgr.exe
Token: SeSystemProfilePrivilege	1784	taskmgr.exe
Token: SeCreateGlobalPrivilege	1784	taskmgr.exe
Token: SeDebugPrivilege	2100	taskmgr.exe
Token: SeSystemProfilePrivilege	2100	taskmgr.exe
Token: SeCreateGlobalPrivilege	2100	taskmgr.exe
Token: 33	1784	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1784	taskmgr.exe
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeDebugPrivilege	2976	HEUR-Trojan-Ransom.MSIL.Spora.gen-08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
Token: SeDebugPrivilege	2140	HEUR-Trojan-Ransom.MSIL.Crusis.gen-cab9a80193d8de8880695ff176379cc4e3378a3f0bc901a973c8d2cf419ed920.exe
Token: SeDebugPrivilege	1584	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9719af69674f28958a71bcb0ac15c42f2b512eec759d70b0a6cc70811dcd4efb.exe
Token: SeDebugPrivilege	5928	1.exe
Token: SeDebugPrivilege	476	3.exe
Token: SeDebugPrivilege	3432	2.exe
Token: SeDebugPrivilege	4220	2.exe
Token: SeDebugPrivilege	5640	vbc.exe
Token: SeDebugPrivilege	4800	osign.exe
Token: SeDebugPrivilege	5356	Trojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exe
Token: SeShutdownPrivilege	5908	explorer.exe
Token: SeCreatePagefilePrivilege	5908	explorer.exe
Token: SeShutdownPrivilege	5908	explorer.exe
Token: SeCreatePagefilePrivilege	5908	explorer.exe
Token: SeShutdownPrivilege	5908	explorer.exe
Token: SeCreatePagefilePrivilege	5908	explorer.exe
Token: SeShutdownPrivilege	5908	explorer.exe
Token: SeCreatePagefilePrivilege	5908	explorer.exe
Token: SeShutdownPrivilege	5908	explorer.exe
Token: SeCreatePagefilePrivilege	5908	explorer.exe
Token: SeShutdownPrivilege	5908	explorer.exe
Token: SeCreatePagefilePrivilege	5908	explorer.exe
Token: SeShutdownPrivilege	5908	explorer.exe
Token: SeCreatePagefilePrivilege	5908	explorer.exe
Token: SeShutdownPrivilege	5908	explorer.exe
Token: SeCreatePagefilePrivilege	5908	explorer.exe
Token: SeShutdownPrivilege	5908	explorer.exe
Token: SeCreatePagefilePrivilege	5908	explorer.exe
Token: SeShutdownPrivilege	5908	explorer.exe
Token: SeCreatePagefilePrivilege	5908	explorer.exe
Token: SeShutdownPrivilege	5908	explorer.exe
Token: SeCreatePagefilePrivilege	5908	explorer.exe
Token: SeShutdownPrivilege	5908	explorer.exe
Token: SeCreatePagefilePrivilege	5908	explorer.exe
Token: SeShutdownPrivilege	6048	explorer.exe
Token: SeCreatePagefilePrivilege	6048	explorer.exe
Token: SeShutdownPrivilege	6048	explorer.exe
Token: SeCreatePagefilePrivilege	6048	explorer.exe
Token: SeShutdownPrivilege	6048	explorer.exe
Token: SeCreatePagefilePrivilege	6048	explorer.exe
Token: SeShutdownPrivilege	6048	explorer.exe
Token: SeCreatePagefilePrivilege	6048	explorer.exe
Token: SeShutdownPrivilege	6048	explorer.exe
Token: SeCreatePagefilePrivilege	6048	explorer.exe
Token: SeShutdownPrivilege	6048	explorer.exe
Token: SeCreatePagefilePrivilege	6048	explorer.exe
Token: SeShutdownPrivilege	6048	explorer.exe
Token: SeCreatePagefilePrivilege	6048	explorer.exe
Token: SeShutdownPrivilege	6048	explorer.exe
Token: SeCreatePagefilePrivilege	6048	explorer.exe
Token: SeShutdownPrivilege	6048	explorer.exe
Token: SeCreatePagefilePrivilege	6048	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

7zFM.exetaskmgr.exetaskmgr.exe

pid	process
3308	7zFM.exe
3308	7zFM.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
2100	taskmgr.exe
1784	taskmgr.exe
2100	taskmgr.exe
1784	taskmgr.exe
2100	taskmgr.exe
1784	taskmgr.exe
2100	taskmgr.exe
1784	taskmgr.exe
2100	taskmgr.exe
1784	taskmgr.exe
2100	taskmgr.exe
1784	taskmgr.exe
2100	taskmgr.exe
1784	taskmgr.exe
2100	taskmgr.exe
1784	taskmgr.exe
2100	taskmgr.exe
1784	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exetaskmgr.exe

pid	process
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
1784	taskmgr.exe
2100	taskmgr.exe
1784	taskmgr.exe
2100	taskmgr.exe
1784	taskmgr.exe
2100	taskmgr.exe
1784	taskmgr.exe
2100	taskmgr.exe
1784	taskmgr.exe
2100	taskmgr.exe
1784	taskmgr.exe
2100	taskmgr.exe
1784	taskmgr.exe
2100	taskmgr.exe
1784	taskmgr.exe
2100	taskmgr.exe
1784	taskmgr.exe
2100	taskmgr.exe
1784	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe
2100	taskmgr.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

Trojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exeTrojan-Ransom.Win32.Foreign.myji-be448df866a7477e64836dd44a38823f60c4db38f6421f25161a573546ec0cef.execmd.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeSearchApp.exe

pid	process
5356	Trojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exe
1172	Trojan-Ransom.Win32.Foreign.myji-be448df866a7477e64836dd44a38823f60c4db38f6421f25161a573546ec0cef.exe
2664	cmd.exe
1832	StartMenuExperienceHost.exe
2564	StartMenuExperienceHost.exe
3140	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

taskmgr.exepowershell.execmd.exeHEUR-Trojan-Ransom.Win32.Generic-ee2e4aa25d60b1dae3d55608d5c902979fc78c72d21e3de30a9736c9cdc83f41.exemore files.exewmiintegrator.exewmihostwin.exewmimic.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-9719af69674f28958a71bcb0ac15c42f2b512eec759d70b0a6cc70811dcd4efb.exewmisecure64.exe

description	pid	process	target process
PID 1784 wrote to memory of 2100	1784	taskmgr.exe	taskmgr.exe
PID 1784 wrote to memory of 2100	1784	taskmgr.exe	taskmgr.exe
PID 4128 wrote to memory of 2664	4128	powershell.exe	cmd.exe
PID 4128 wrote to memory of 2664	4128	powershell.exe	cmd.exe
PID 2664 wrote to memory of 1584	2664	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9719af69674f28958a71bcb0ac15c42f2b512eec759d70b0a6cc70811dcd4efb.exe
PID 2664 wrote to memory of 1584	2664	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9719af69674f28958a71bcb0ac15c42f2b512eec759d70b0a6cc70811dcd4efb.exe
PID 2664 wrote to memory of 1584	2664	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9719af69674f28958a71bcb0ac15c42f2b512eec759d70b0a6cc70811dcd4efb.exe
PID 2664 wrote to memory of 2140	2664	cmd.exe	HEUR-Trojan-Ransom.MSIL.Crusis.gen-cab9a80193d8de8880695ff176379cc4e3378a3f0bc901a973c8d2cf419ed920.exe
PID 2664 wrote to memory of 2140	2664	cmd.exe	HEUR-Trojan-Ransom.MSIL.Crusis.gen-cab9a80193d8de8880695ff176379cc4e3378a3f0bc901a973c8d2cf419ed920.exe
PID 2664 wrote to memory of 2140	2664	cmd.exe	HEUR-Trojan-Ransom.MSIL.Crusis.gen-cab9a80193d8de8880695ff176379cc4e3378a3f0bc901a973c8d2cf419ed920.exe
PID 2664 wrote to memory of 2976	2664	cmd.exe	HEUR-Trojan-Ransom.MSIL.Spora.gen-08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 2664 wrote to memory of 2976	2664	cmd.exe	HEUR-Trojan-Ransom.MSIL.Spora.gen-08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 2664 wrote to memory of 2976	2664	cmd.exe	HEUR-Trojan-Ransom.MSIL.Spora.gen-08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
PID 2664 wrote to memory of 2632	2664	cmd.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-d25a49887f13b5addc9697fde203dd80c306a9ca7f05b2d8e9fcd7a5e5b2b899.exe
PID 2664 wrote to memory of 2632	2664	cmd.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-d25a49887f13b5addc9697fde203dd80c306a9ca7f05b2d8e9fcd7a5e5b2b899.exe
PID 2664 wrote to memory of 2632	2664	cmd.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-d25a49887f13b5addc9697fde203dd80c306a9ca7f05b2d8e9fcd7a5e5b2b899.exe
PID 2664 wrote to memory of 3352	2664	cmd.exe	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-1bc42d80ecc9175d0ba4e0a8c394956d3111bf2ab7439d88380de3219394e9da.exe
PID 2664 wrote to memory of 3352	2664	cmd.exe	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-1bc42d80ecc9175d0ba4e0a8c394956d3111bf2ab7439d88380de3219394e9da.exe
PID 2664 wrote to memory of 3352	2664	cmd.exe	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-1bc42d80ecc9175d0ba4e0a8c394956d3111bf2ab7439d88380de3219394e9da.exe
PID 2664 wrote to memory of 3136	2664	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-ee2e4aa25d60b1dae3d55608d5c902979fc78c72d21e3de30a9736c9cdc83f41.exe
PID 2664 wrote to memory of 3136	2664	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-ee2e4aa25d60b1dae3d55608d5c902979fc78c72d21e3de30a9736c9cdc83f41.exe
PID 2664 wrote to memory of 3136	2664	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-ee2e4aa25d60b1dae3d55608d5c902979fc78c72d21e3de30a9736c9cdc83f41.exe
PID 2664 wrote to memory of 3784	2664	cmd.exe	HEUR-Trojan-Ransom.Win32.Haka.vho-215eaa198c532599bc17be38c8e8e626311b038246825f7d01d130a47664c4b3.exe
PID 2664 wrote to memory of 3784	2664	cmd.exe	HEUR-Trojan-Ransom.Win32.Haka.vho-215eaa198c532599bc17be38c8e8e626311b038246825f7d01d130a47664c4b3.exe
PID 2664 wrote to memory of 3784	2664	cmd.exe	HEUR-Trojan-Ransom.Win32.Haka.vho-215eaa198c532599bc17be38c8e8e626311b038246825f7d01d130a47664c4b3.exe
PID 3136 wrote to memory of 2964	3136	HEUR-Trojan-Ransom.Win32.Generic-ee2e4aa25d60b1dae3d55608d5c902979fc78c72d21e3de30a9736c9cdc83f41.exe	more files.exe
PID 3136 wrote to memory of 2964	3136	HEUR-Trojan-Ransom.Win32.Generic-ee2e4aa25d60b1dae3d55608d5c902979fc78c72d21e3de30a9736c9cdc83f41.exe	more files.exe
PID 3136 wrote to memory of 2964	3136	HEUR-Trojan-Ransom.Win32.Generic-ee2e4aa25d60b1dae3d55608d5c902979fc78c72d21e3de30a9736c9cdc83f41.exe	more files.exe
PID 2964 wrote to memory of 212	2964	more files.exe	wmiintegrator.exe
PID 2964 wrote to memory of 212	2964	more files.exe	wmiintegrator.exe
PID 2964 wrote to memory of 212	2964	more files.exe	wmiintegrator.exe
PID 212 wrote to memory of 5280	212	wmiintegrator.exe	wmihostwin.exe
PID 212 wrote to memory of 5280	212	wmiintegrator.exe	wmihostwin.exe
PID 212 wrote to memory of 5280	212	wmiintegrator.exe	wmihostwin.exe
PID 2664 wrote to memory of 5356	2664	cmd.exe	Trojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exe
PID 2664 wrote to memory of 5356	2664	cmd.exe	Trojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exe
PID 2664 wrote to memory of 5356	2664	cmd.exe	Trojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exe
PID 5280 wrote to memory of 5376	5280	wmihostwin.exe	wmimic.exe
PID 5280 wrote to memory of 5376	5280	wmihostwin.exe	wmimic.exe
PID 5280 wrote to memory of 5376	5280	wmihostwin.exe	wmimic.exe
PID 5376 wrote to memory of 5460	5376	wmimic.exe	wmisecure.exe
PID 5376 wrote to memory of 5460	5376	wmimic.exe	wmisecure.exe
PID 5376 wrote to memory of 5460	5376	wmimic.exe	wmisecure.exe
PID 5376 wrote to memory of 5484	5376	wmimic.exe	wmisecure64.exe
PID 5376 wrote to memory of 5484	5376	wmimic.exe	wmisecure64.exe
PID 5376 wrote to memory of 5484	5376	wmimic.exe	wmisecure64.exe
PID 1584 wrote to memory of 5640	1584	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9719af69674f28958a71bcb0ac15c42f2b512eec759d70b0a6cc70811dcd4efb.exe	vbc.exe
PID 1584 wrote to memory of 5640	1584	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9719af69674f28958a71bcb0ac15c42f2b512eec759d70b0a6cc70811dcd4efb.exe	vbc.exe
PID 1584 wrote to memory of 5640	1584	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9719af69674f28958a71bcb0ac15c42f2b512eec759d70b0a6cc70811dcd4efb.exe	vbc.exe
PID 1584 wrote to memory of 5640	1584	HEUR-Trojan-Ransom.MSIL.Blocker.gen-9719af69674f28958a71bcb0ac15c42f2b512eec759d70b0a6cc70811dcd4efb.exe	vbc.exe
PID 2664 wrote to memory of 5664	2664	cmd.exe	Trojan-Ransom.Win32.Blocker.iwia-a26158b8cc1468d3e001a38142c99b747796db3bfd581171bae02ba1851cd122.exe
PID 2664 wrote to memory of 5664	2664	cmd.exe	Trojan-Ransom.Win32.Blocker.iwia-a26158b8cc1468d3e001a38142c99b747796db3bfd581171bae02ba1851cd122.exe
PID 2664 wrote to memory of 5664	2664	cmd.exe	Trojan-Ransom.Win32.Blocker.iwia-a26158b8cc1468d3e001a38142c99b747796db3bfd581171bae02ba1851cd122.exe
PID 2664 wrote to memory of 5832	2664	cmd.exe	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
PID 2664 wrote to memory of 5832	2664	cmd.exe	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
PID 2664 wrote to memory of 5832	2664	cmd.exe	Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
PID 2664 wrote to memory of 3004	2664	cmd.exe	Trojan-Ransom.Win32.Cryptor.drc-2371e34ce5fb3b6017ec3dbbbde49f068d0e0d86ef9f1aed25427d0ca2b5f59f.exe
PID 2664 wrote to memory of 3004	2664	cmd.exe	Trojan-Ransom.Win32.Cryptor.drc-2371e34ce5fb3b6017ec3dbbbde49f068d0e0d86ef9f1aed25427d0ca2b5f59f.exe
PID 2664 wrote to memory of 3004	2664	cmd.exe	Trojan-Ransom.Win32.Cryptor.drc-2371e34ce5fb3b6017ec3dbbbde49f068d0e0d86ef9f1aed25427d0ca2b5f59f.exe
PID 2664 wrote to memory of 1172	2664	cmd.exe	Trojan-Ransom.Win32.Foreign.myji-be448df866a7477e64836dd44a38823f60c4db38f6421f25161a573546ec0cef.exe
PID 2664 wrote to memory of 1172	2664	cmd.exe	Trojan-Ransom.Win32.Foreign.myji-be448df866a7477e64836dd44a38823f60c4db38f6421f25161a573546ec0cef.exe
PID 2664 wrote to memory of 1172	2664	cmd.exe	Trojan-Ransom.Win32.Foreign.myji-be448df866a7477e64836dd44a38823f60c4db38f6421f25161a573546ec0cef.exe
PID 5484 wrote to memory of 2212	5484	wmisecure64.exe	reg.exe
PID 5484 wrote to memory of 2212	5484	wmisecure64.exe	reg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

AddInProcess32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	AddInProcess32.exe

outlook_win_path 1 IoCs

Processes:

AddInProcess32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	AddInProcess32.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00391.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3308

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /1
2⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4128

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664

C:\Users\Admin\Desktop\00391\HEUR-Trojan-Ransom.MSIL.Blocker.gen-9719af69674f28958a71bcb0ac15c42f2b512eec759d70b0a6cc70811dcd4efb.exe
HEUR-Trojan-Ransom.MSIL.Blocker.gen-9719af69674f28958a71bcb0ac15c42f2b512eec759d70b0a6cc70811dcd4efb.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5640

C:\Users\Admin\Desktop\00391\HEUR-Trojan-Ransom.MSIL.Crusis.gen-cab9a80193d8de8880695ff176379cc4e3378a3f0bc901a973c8d2cf419ed920.exe
HEUR-Trojan-Ransom.MSIL.Crusis.gen-cab9a80193d8de8880695ff176379cc4e3378a3f0bc901a973c8d2cf419ed920.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v sobm /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\osign.exe"
4⤵
- System Location Discovery: System Language Discovery
PID:6104

C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v sobm /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\osign.exe"
5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1348

C:\Users\Admin\osign.exe
"C:\Users\Admin\osign.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:5648

C:\Users\Admin\Desktop\00391\HEUR-Trojan-Ransom.MSIL.Spora.gen-08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
HEUR-Trojan-Ransom.MSIL.Spora.gen-08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Users\Admin\Desktop\00391\HEUR-Trojan-Ransom.MSIL.Spora.gen-08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
"C:\Users\Admin\Desktop\00391\HEUR-Trojan-Ransom.MSIL.Spora.gen-08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5312

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
5⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5928

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:412

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
5⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
6⤵
- Executes dropped EXE
PID:2616

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Users\Admin\AppData\Local\Temp\3.exe
"C:\Users\Admin\AppData\Local\Temp\3.exe"
5⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:476

C:\Users\Admin\AppData\Local\Temp\3.exe
"C:\Users\Admin\AppData\Local\Temp\3.exe"
6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5260 -s 744
7⤵
- Program crash
PID:4068

C:\Users\Admin\Desktop\00391\HEUR-Trojan-Ransom.Win32.Blocker.gen-d25a49887f13b5addc9697fde203dd80c306a9ca7f05b2d8e9fcd7a5e5b2b899.exe
HEUR-Trojan-Ransom.Win32.Blocker.gen-d25a49887f13b5addc9697fde203dd80c306a9ca7f05b2d8e9fcd7a5e5b2b899.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2632

C:\Users\Admin\Desktop\00391\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-1bc42d80ecc9175d0ba4e0a8c394956d3111bf2ab7439d88380de3219394e9da.exe
HEUR-Trojan-Ransom.Win32.GandCrypt.gen-1bc42d80ecc9175d0ba4e0a8c394956d3111bf2ab7439d88380de3219394e9da.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 476
4⤵
- Program crash
PID:5256

C:\Users\Admin\Desktop\00391\HEUR-Trojan-Ransom.Win32.Generic-ee2e4aa25d60b1dae3d55608d5c902979fc78c72d21e3de30a9736c9cdc83f41.exe
HEUR-Trojan-Ransom.Win32.Generic-ee2e4aa25d60b1dae3d55608d5c902979fc78c72d21e3de30a9736c9cdc83f41.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3136

C:\Users\Admin\AppData\Roaming\more files.exe
"C:\Users\Admin\AppData\Roaming\more files.exe" C:\Users\Admin\Desktop\00391\HEUR-Trojan-Ransom.Win32.Generic-ee2e4aa25d60b1dae3d55608d5c902979fc78c72d21e3de30a9736c9cdc83f41.exe
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964

C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe
"C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe" unk
5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:212

C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe
"C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe" unk2
6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5280

C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe
"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe" unk3
7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5376

C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
"C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5460

C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
"C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
8⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5484

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2212

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3604

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4168

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:5916

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:5528

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4244

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4088

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:744

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:5320

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2884

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4424

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3688

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:5980

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3652

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:6040

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2148

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1460

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2968

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1156

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4664

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4160

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2280

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2960

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
PID:6036

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
PID:5420

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
PID:5660

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
PID:2972

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
PID:3892

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
PID:1460

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
PID:556

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
PID:4108

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
PID:2044

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
PID:2844

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
PID:3588

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
PID:6060

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
PID:3128

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
PID:5668

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
PID:1088

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
PID:5976

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
PID:1052

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
PID:3256

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
PID:1288

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
9⤵
PID:3332

C:\Users\Admin\Desktop\00391\HEUR-Trojan-Ransom.Win32.Haka.vho-215eaa198c532599bc17be38c8e8e626311b038246825f7d01d130a47664c4b3.exe
HEUR-Trojan-Ransom.Win32.Haka.vho-215eaa198c532599bc17be38c8e8e626311b038246825f7d01d130a47664c4b3.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3784

C:\Users\Admin\Desktop\00391\Trojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exe
Trojan-Ransom.Win32.Agent.azbu-c4bd0baec275a7f967adf3df4d30ff38bab699b87c2106cf652eea8311d26c0d.exe
3⤵
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5356

C:\Users\Admin\Desktop\00391\Trojan-Ransom.Win32.Blocker.iwia-a26158b8cc1468d3e001a38142c99b747796db3bfd581171bae02ba1851cd122.exe
Trojan-Ransom.Win32.Blocker.iwia-a26158b8cc1468d3e001a38142c99b747796db3bfd581171bae02ba1851cd122.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 236
4⤵
- Program crash
PID:5772

C:\Users\Admin\Desktop\00391\Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
Trojan-Ransom.Win32.Crypren.ahgu-a04b38ff422db31daee97947e53ed41ecb16b0464628f596e247803b011ff45a.exe
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5832

C:\Users\Admin\Desktop\00391\Trojan-Ransom.Win32.Cryptor.drc-2371e34ce5fb3b6017ec3dbbbde49f068d0e0d86ef9f1aed25427d0ca2b5f59f.exe
Trojan-Ransom.Win32.Cryptor.drc-2371e34ce5fb3b6017ec3dbbbde49f068d0e0d86ef9f1aed25427d0ca2b5f59f.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3004

C:\Users\Admin\Desktop\00391\Trojan-Ransom.Win32.Foreign.myji-be448df866a7477e64836dd44a38823f60c4db38f6421f25161a573546ec0cef.exe
Trojan-Ransom.Win32.Foreign.myji-be448df866a7477e64836dd44a38823f60c4db38f6421f25161a573546ec0cef.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 476
4⤵
- Program crash
PID:872

C:\Users\Admin\Desktop\00391\VHO-Trojan-Ransom.Win32.Blocker.gen-cab8be7e77b689a5181d37ecd7d25ad629f5d609abf021bf3f556d61921d28d9.exe
VHO-Trojan-Ransom.Win32.Blocker.gen-cab8be7e77b689a5181d37ecd7d25ad629f5d609abf021bf3f556d61921d28d9.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2512

C:\Users\Admin\Desktop\00391\VHO-Trojan-Ransom.Win32.Crypmodadv.gen-3dbc9fc4a183ffed4025e9a8eb85cead96e2378776bab6aa8c0654b2c44ecb5f.exe
VHO-Trojan-Ransom.Win32.Crypmodadv.gen-3dbc9fc4a183ffed4025e9a8eb85cead96e2378776bab6aa8c0654b2c44ecb5f.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3352 -ip 3352
1⤵
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5664 -ip 5664
1⤵
PID:5716

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1172 -ip 1172
1⤵
PID:5372

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\key.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5260 -ip 5260
1⤵
PID:3200

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5908

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3140

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1832

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:2148

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:6048

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2564

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2588

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2884

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6084

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1848

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:452

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4580

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2968

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5148

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4200

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3712

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3248

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3352

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5024

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3912

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2260

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:248

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery