troldesh | 94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02

Resubmissions

17-04-2024 14:30

240417-rt43faca49 10

17-04-2024 14:30

17-04-2024 14:29

17-04-2024 14:29

17-04-2024 14:29

31-07-2022 05:21

Analysis

max time kernel
1196s
max time network
1198s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
17-04-2024 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
Size

1.5MB
MD5

6599f79e40a26186261b58aa89194e5b
SHA1

0a44b71f930447d545de0f10b6f9c70d513acacc
SHA256

94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02
SHA512

9e4c8b704bdf6f69df693c40c323f069ac7b9900ab8486d7e5a8423670aa1ee686ccfb6c4026f903d0928145efeee04b0b4cded0000f918862208baba9913748
SSDEEP

24576:4i9CFkYBMSUkGUbDkAv0f3BIykhWmRkLhKRahLo1ChjllyzD8k20ZItIhi4Gx:4ieMSU0bD7Q3Bfkh9k1VtKChpIzD/Std

Score

10^/10

troldesh discovery persistence ransomware spyware stealer trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies Installed Components in the registry 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral3/memory/2768-0-0x0000000000400000-0x000000000062A000-memory.dmp	upx
behavioral3/memory/2768-3-0x0000000000400000-0x000000000062A000-memory.dmp	upx
behavioral3/memory/4564-8-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-9-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/2768-10-0x0000000000400000-0x000000000062A000-memory.dmp	upx
behavioral3/memory/4564-11-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-16-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-17-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-18-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-19-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-20-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-21-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-22-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-25-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-26-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-27-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-28-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-29-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-30-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-31-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-32-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-33-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-34-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-35-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-36-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-37-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-38-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-39-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-40-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-41-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-42-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-43-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-44-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-45-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-46-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-47-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-48-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-49-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-50-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-51-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-52-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-53-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-54-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-55-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-56-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-57-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-58-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-59-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-60-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-61-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-62-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-63-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-64-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-65-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-66-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-67-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-68-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-69-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-70-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-71-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-72-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-73-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-74-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral3/memory/4564-75-0x0000000000400000-0x0000000000608000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\F:	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\B773F55BB773F55B.bmp"	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe

description	pid	process	target process
PID 2768 set thread context of 4564	2768	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe

Drops file in Program Files directory 64 IoCs

Processes:

94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\8080_20x20x32.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\animations\OneNoteFRE_CreateNotes_RTL_Tablet.mp4	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\_Resources\index.txt	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailWideTile.scale-100.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7260_48x48x32.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Klondike\Tips_1.jpg	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\collection_grey.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\195.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\SmallTile.scale-125.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\RunningLate.scale-80.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-join.avi	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PeopleWideTile.scale-125.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\crown.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_PigNose.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm.html	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\CardBacks\CardBack2.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-72_contrast-black.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.scale-125.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\freecell\Guard_Duty_Unearned_small.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\giflib.md	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\LargeTile.scale-100.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-36.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-150_contrast-black.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\LargeTile.scale-125.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\LargeTile.scale-125.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Workflow\Density_Selected_Medium.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\WideTile.scale-200.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\LinkedInboxMediumTile.scale-400.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\Office365LogoWLockup.scale-100.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-60_contrast-white.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-125_kzf8qxf38zg5c\SkypeApp\Assets\SkypeAppList.scale-125.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageMedTile.scale-125_contrast-black.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-256_altform-unplated.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Speech\en-US\tokens_enUS.xml	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeBadge.scale-100.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_scale-100.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-48.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\sg_60x42.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\en-us\jscripts\wefgallery_strings.js	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\4.jpg	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-64_altform-unplated.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\LinkedInboxWideTile.scale-100.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailLargeTile.scale-150.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailSmallTile.scale-200.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\Undo\Undo-over.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-140.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleSmallTile.scale-200.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_contrast-black.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\nav_icons_activityAlert.targetsize-48.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxMediumTile.scale-150.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\AppxManifest.xml	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\punch.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\jumbo_1h.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+NewSQLServerConnection.odc	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\BuildInfo.xml	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.scale-200.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-40.png	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe

Drops file in Windows directory 4 IoCs

Processes:

94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exeexplorer.exeSearchUI.exe

description	ioc	process
File opened for modification	C:\Windows\	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
File created	C:\Windows\rescache\_merged\2717123927\1590785016.pri	explorer.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	SearchUI.exe
File created	C:\Windows\rescache\_merged\4032412167\4002656488.pri	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 26 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

SearchUI.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchUI.exe
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchUI.exe
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

1500 vssadmin.exe
2704 vssadmin.exe
2296 vssadmin.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

SearchUI.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\GPU SearchUI.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

pid	process
1500	vssadmin.exe
2704	vssadmin.exe
2296	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\GPU	SearchUI.exe

Modifies registry class 32 IoCs

Processes:

SearchUI.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "0"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "0"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133567065728993929"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e80704004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000007732ba7df790da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80704004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c00000000000000000000000056d1987df790da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e80704004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc7600000000000000000000000021f776218a86da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe

pid	process
4564	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
4564	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
4564	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
4564	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exevssvc.exeexplorer.exe

description	pid	process
Token: SeShutdownPrivilege	2768	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
Token: SeCreatePagefilePrivilege	2768	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
Token: SeShutdownPrivilege	2768	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
Token: SeCreatePagefilePrivilege	2768	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
Token: SeBackupPrivilege	5080	vssvc.exe
Token: SeRestorePrivilege	5080	vssvc.exe
Token: SeAuditPrivilege	5080	vssvc.exe
Token: SeShutdownPrivilege	256	explorer.exe
Token: SeCreatePagefilePrivilege	256	explorer.exe
Token: SeShutdownPrivilege	256	explorer.exe
Token: SeCreatePagefilePrivilege	256	explorer.exe
Token: SeShutdownPrivilege	256	explorer.exe
Token: SeCreatePagefilePrivilege	256	explorer.exe
Token: SeShutdownPrivilege	256	explorer.exe
Token: SeCreatePagefilePrivilege	256	explorer.exe
Token: SeShutdownPrivilege	256	explorer.exe
Token: SeCreatePagefilePrivilege	256	explorer.exe
Token: SeShutdownPrivilege	256	explorer.exe
Token: SeCreatePagefilePrivilege	256	explorer.exe
Token: SeShutdownPrivilege	256	explorer.exe
Token: SeCreatePagefilePrivilege	256	explorer.exe
Token: SeShutdownPrivilege	256	explorer.exe
Token: SeCreatePagefilePrivilege	256	explorer.exe
Token: SeShutdownPrivilege	256	explorer.exe
Token: SeCreatePagefilePrivilege	256	explorer.exe
Token: SeShutdownPrivilege	256	explorer.exe
Token: SeCreatePagefilePrivilege	256	explorer.exe
Token: SeShutdownPrivilege	256	explorer.exe
Token: SeCreatePagefilePrivilege	256	explorer.exe
Token: SeShutdownPrivilege	256	explorer.exe
Token: SeCreatePagefilePrivilege	256	explorer.exe
Token: SeShutdownPrivilege	256	explorer.exe
Token: SeCreatePagefilePrivilege	256	explorer.exe
Token: SeShutdownPrivilege	256	explorer.exe
Token: SeCreatePagefilePrivilege	256	explorer.exe
Token: SeShutdownPrivilege	256	explorer.exe
Token: SeCreatePagefilePrivilege	256	explorer.exe
Token: SeShutdownPrivilege	256	explorer.exe
Token: SeCreatePagefilePrivilege	256	explorer.exe
Token: SeShutdownPrivilege	256	explorer.exe
Token: SeCreatePagefilePrivilege	256	explorer.exe
Token: SeShutdownPrivilege	256	explorer.exe
Token: SeCreatePagefilePrivilege	256	explorer.exe
Token: SeShutdownPrivilege	256	explorer.exe
Token: SeCreatePagefilePrivilege	256	explorer.exe
Token: SeShutdownPrivilege	256	explorer.exe
Token: SeCreatePagefilePrivilege	256	explorer.exe
Token: SeShutdownPrivilege	256	explorer.exe
Token: SeCreatePagefilePrivilege	256	explorer.exe
Token: SeShutdownPrivilege	256	explorer.exe
Token: SeCreatePagefilePrivilege	256	explorer.exe
Token: SeShutdownPrivilege	256	explorer.exe
Token: SeCreatePagefilePrivilege	256	explorer.exe
Token: SeShutdownPrivilege	256	explorer.exe
Token: SeCreatePagefilePrivilege	256	explorer.exe
Token: SeShutdownPrivilege	256	explorer.exe
Token: SeCreatePagefilePrivilege	256	explorer.exe
Token: SeShutdownPrivilege	256	explorer.exe
Token: SeCreatePagefilePrivilege	256	explorer.exe
Token: SeShutdownPrivilege	256	explorer.exe
Token: SeCreatePagefilePrivilege	256	explorer.exe
Token: SeShutdownPrivilege	256	explorer.exe
Token: SeCreatePagefilePrivilege	256	explorer.exe
Token: SeShutdownPrivilege	256	explorer.exe

Suspicious use of FindShellTrayWindow 45 IoCs

Processes:

explorer.exe

pid	process
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

explorer.exe

pid	process
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe
256	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SearchUI.exe

pid process

3564 SearchUI.exe

pid	process
3564	SearchUI.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe

description	pid	process	target process
PID 2768 wrote to memory of 4564	2768	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
PID 2768 wrote to memory of 4564	2768	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
PID 2768 wrote to memory of 4564	2768	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
PID 2768 wrote to memory of 4564	2768	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
PID 4564 wrote to memory of 1500	4564	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe	vssadmin.exe
PID 4564 wrote to memory of 1500	4564	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe	vssadmin.exe
PID 4564 wrote to memory of 2704	4564	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe	vssadmin.exe
PID 4564 wrote to memory of 2704	4564	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe	vssadmin.exe
PID 4564 wrote to memory of 2296	4564	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe	vssadmin.exe
PID 4564 wrote to memory of 2296	4564	94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
"C:\Users\Admin\AppData\Local\Temp\94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768

C:\Users\Admin\AppData\Local\Temp\94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
C:\Users\Admin\AppData\Local\Temp\94b88650ebf3fe56877d27316b51a4ddf27b4182892b167b5b03b35d84c95d02.exe
2⤵
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe List Shadows
3⤵
- Interacts with shadow copies
PID:1500

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:2704

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe List Shadows
3⤵
- Interacts with shadow copies
PID:2296

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:256

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3564

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
Filesize
1024KB

MD5
144cb45cc5eb58890e03fbd5dbe9c8e4

SHA1
e54a4fa554a5d2b11a5fad0576fa11cbf8cf22ca

SHA256
a66091414683d3c6b2379b7d4daf43fd7f5419cbf2eebdda80a890e5412a8c93

SHA512
6140c876d425ac9541714111ee5f4ab0358b6e8565263d426b2e0e448ba28ec320dcee7e17592bff164ad6a0f38710067c20dcbe47d7bf095417c57e50a37680

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
7KB

MD5
e5094b4d83037cd93a09daafcd2ebe47

SHA1
c3abc9a3b956f630d1d5a758e97c302b53f729cf

SHA256
76c2fb11312934c8a8e0d355119770e4874018634f2b4341dabfe8ae20631426

SHA512
89c5fd3f1c33d7b5a476a9707895eb71c4f62c9efc33fa057d42e1aafeb00962a8614079098f9e1a1b72fd94ebca9b8727a71ce4b44bf6f68385d9ed81123402

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db
Filesize
1024KB

MD5
037769dd102ede7112447cfe2cd70b7f

SHA1
f49b49f046d26f41779665741ddfb42cf3a0c446

SHA256
e0d48d51beb23724062e92cfd9907d9d0de52fe0d320923959639ae710097e49

SHA512
00fbdf76bf87fe629b1f25e827d0b24ae1b98977624aa263d783e92d6e937a99caf132e24ffd89df9ee305514bc3f94b926f7ef513fec282784fe9b3fef46d31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db
Filesize
24B

MD5
ae6fbded57f9f7d048b95468ddee47ca

SHA1
c4473ea845be2fb5d28a61efd72f19d74d5fc82e

SHA256
d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9

SHA512
f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
Filesize
7KB

MD5
b9550f07054a96b9d1b63297c6e3639d

SHA1
89a4b515b8bfb65c4687bd14d41bddb46aa5131f

SHA256
799c464b6b675b7d1979a5b4ffda48faf5f95adb08d329a991832ab1d7331159

SHA512
0a85d5ad22cd364fe60a4da4a978df74b9b563383a352f855d95727291b91fb800fccfabf3a3cdeadfe617e916c35e211457ddee6e135e0f061d6baf4936bd5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
Filesize
7KB

MD5
3e9353971069fe41c3c0bfad666f2232

SHA1
345a16b95670f4a64c79c4430d7f88a29acfaa40

SHA256
7331aa54dfcbf15c51c9bd8f0ab401aba6ce4ae797321691d91f0079b6a1bdf4

SHA512
52daefb23e68d1785ba97870bf724b261551edd5c7183e4dd97befb86e5c14d2d328dafbc5477197c02b6ce8df5c91f251e1c430c3fb5d266bbc57ef9927b3ab

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\TA9PW42K\microsoft.windows[1].xml
Filesize
97B

MD5
dc5e6eb03269e129a9e8ccc9186161cd

SHA1
e28352f9f78534779a871064137a67aa777c6dd4

SHA256
01117b8e52792b6c29357873c3644dd78d7cc8d0be8ae8c52e4b89bb4ac6c20c

SHA512
7a8727587495d77b50862ed812fe8807d823a170e10c3f8aa8e7a0ab00d1f4e462814f0819a541541d8b56704c90b4a5c4c933b27492364a2530d27e3f05dbf7

Download Submit
C:\Users\Admin\AppData\Roaming\B773F55BB773F55B.bmp
Filesize
2.6MB

MD5
993cc909a89f0fb7fe90acc3703c2105

SHA1
f422cdcb426718b235a19080b0daf71c9b448768

SHA256
4aa6cdb9ce95410f85a05b21967d224cfd49cf8c7fa18d9998304a16d4e4b5d8

SHA512
5ec562b1e6f91f8774bf8fd00a6a413b4b4b5be2ede17ff9c417fce7097b7d313b136740e525c19a77f220e80fb0e92f8f4d1866ea185c9fc6755c3b41aa9762

Download Submit
memory/2768-0-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/2768-10-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/2768-12-0x0000000000C40000-0x0000000000C74000-memory.dmp

Filesize
208KB

Download
memory/2768-7-0x0000000000C40000-0x0000000000C74000-memory.dmp

Filesize
208KB

Download
memory/2768-3-0x0000000000400000-0x000000000062A000-memory.dmp

Filesize
2.2MB

Download
memory/4564-45-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-53-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-20-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-21-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-22-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-25-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-26-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-27-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-28-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-29-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-30-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-31-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-32-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-33-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-34-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-35-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-36-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-37-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-38-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-39-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-40-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-41-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-42-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-43-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-44-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-18-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-46-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-47-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-48-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-49-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-50-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-51-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-52-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-19-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-54-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-55-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-56-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-57-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-58-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-59-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-60-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-61-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-62-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-63-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-64-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-65-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-66-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-67-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-68-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-69-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-70-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-71-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-72-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-73-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-74-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-75-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-76-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-17-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-16-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-11-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-9-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-8-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-77-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-78-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4564-79-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download