dragonforce | 312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83

Analysis

max time kernel
126s
max time network
65s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-11-2024 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Size

465KB
MD5

15634dc79981e7fba25fb8530cedb981
SHA1

a4bdd6cef0ed43a4d08f373edc8e146bb15ca0f9
SHA256

312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83
SHA512

daa63d5a3a948f4416d61eb4bf086f8cc921f24187ffcdb406751cc8102114f826957a249830e28220a3c73e11388706152851106794529541e1e2020d695ece
SSDEEP

12288:HZph8TCfS9dQ1GH4wKcmY8FYkEv+NT5XqU6KDBxE:HZpCTCfS9dQ104wdV8FImT5XqiS

Score

10^/10

dragonforce credential_access discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

dragonforce

Ransom Note

Hello! Your files have been stolen from your network and encrypted with a strong algorithm. We work for money and are not associated with politics. All you need to do is contact us and pay. --- Our communication process: 1. You contact us. 2. We send you a list of files that were stolen. 3. We decrypt 1 file to confirm that our decryptor works. 4. We agree on the amount, which must be paid using BTC. 5. We delete your files, we give you a decryptor. 6. We give you a detailed report on how we compromised your company, and recommendations on how to avoid such situations in the future. --- Client area (use this site to contact us): Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion >>> Use this ID: C2856ADC25774663FF9B2F4909C5AB13 to begin the recovery process. * In order to access the site, you will need Tor Browser, you can download it from this link: https://www.torproject.org/ --- Additional contacts: Support Tox: 1C054B722BCBF41A918EF3C485712742088F5C3E81B2FDD91ADEA6BA55F4A856D90A65E99D20 --- Recommendations: DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. --- Important: If you refuse to pay or do not get in touch with us, we start publishing your files. 17/07/2024 00:00 UTC the decryptor will be destroyed and the files will be published on our blog. Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion Sincerely, 01000100 01110010 01100001 01100111 01101111 01101110 01000110 01101111 01110010 01100011 01100101

URLs

http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion

http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion

Signatures

DragonForce
Ransomware family based on Lockbit that was first observed in November 2023.
ransomware dragonforce
Dragonforce family
dragonforce
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

Processes:

312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 33 IoCs

Processes:

312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YPLB435F\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\R627XHFP\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\OM66BHWE\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\U8F4PBMO\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\Public\\wallpaper_white.png"	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe

Drops file in Program Files directory 64 IoCs

Processes:

312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02453_.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN065.XML	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages.properties	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR48B.GIF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\MMSS.ICO	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\management.properties	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_zh_CN.jar	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099170.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384895.JPG	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149118.JPG	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01148_.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions.css	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02115_.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0195384.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR47F.GIF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02431_.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Boise	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\MessageBoxIconImages.jpg	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00183_.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_ja_4.4.0.v20140623020002.jar	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Teal.css	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Beulah	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplate.html	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-charts.xml	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT_COL.HXC	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV_COL.HXT	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME10.CSS	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_decreaseindent.gif	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File created	C:\Program Files\VideoLAN\VLC\locale\tt\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-attach.jar	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00076_.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341534.JPG	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386267.JPG	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02264_.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0183328.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OMML2MML.XSL	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\vstoee100.tlb	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00538_.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02617_.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01292_.GIF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Elemental.eftx	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0211949.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\PREVIEW.GIF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\InformationIconMask.bmp	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Brisbane	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File created	C:\Program Files\Reference Assemblies\Microsoft\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00934_.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe

Modifies Control Panel 1 IoCs

evasion

Processes:

312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\WallpaperStyle = "10"	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe

Modifies data under HKEY_USERS 42 IoCs

Processes:

312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence = "2"	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 481d4054b49ca8e94ed85488d067df31c8599a824b9f46e24809ab29c282b6c4	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence = "1"	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e0044004100540000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 2fbab65b89e2cc8eadc179fe163b24e127d2d8f5869a2f9fe958afaab918f06d	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Control Panel\Desktop\WallPaper = "C:\\Users\\Public\\wallpaper_white.png"	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 8c4ba3e16c30c216bf9e836a3d1cb21bf5da1ce47581fc6dd98225b2d907bc2e	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallPaper = "C:\\Users\\Public\\wallpaper_white.png"	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "10"	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Owner = 080b000040a6c6b2883adb01	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 141c321d4f00c4990028f94fc65e9cbb54bcde12735c47105f23c916e1b1bf4e	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700320000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 3b60c33628b8f385c6aede5ad1e6517c9dbb63b3c97bcef6ec65258475472f75	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = bfee7985af7524f3e2216c2843b14942775db914d3ec310f249e3fa632d6f47d	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 0e14eed687fdf5f26f94e673cd84bf9c395e2417aa83c1d47030d0840e9598f2	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Control Panel\Desktop\WallPaper = "C:\\Users\\Public\\wallpaper_white.png"	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00500072006f006700720061006d0044006100740061005c004d006900630072006f0073006f00660074005c004f006600660069006300650053006f00660074007700610072006500500072006f00740065006300740069006f006e0050006c006100740066006f0072006d005c0074006f006b0065006e0073002e0064006100740000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 349ebaba404eb573c79c7c824e73b302946dac2a20aecc9ab869422b6a4e2ae6	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Control Panel\Desktop\WallpaperStyle = "10"	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d002e0062006c00660000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = c27bb9e90209a4a2a8cd474854c468fda5b3c1d19724560877ef0e5bef24257f	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = f51dfad85d1863c8695a98d4c15ba30347ff127c8676094a447ce53fd60a95df	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00500072006f006700720061006d0044006100740061005c004d006900630072006f0073006f00660074005c004e006500740077006f0072006b005c0044006f0077006e006c006f0061006400650072005c0071006d006700720030002e0064006100740000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Key created	\REGISTRY\USER\.DEFAULT\Software	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 618cee2905ebf43f74dd8423fdfd8d3df6726a66cfe21fd9ad2d65dacab87017	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = e9764f94089b74b392bac500fbf219c2134d918f7cc72c5260179dba861d0b7d	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 7d448bf7e852ff8a5cf243cace3726f5ea74685f3f82263133cf6c6ab6273083	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 5591d00b3f69056a2f1ce6088b9a170ccfc85537b18cc35a7420746b8e3d4e45	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00500072006f006700720061006d002000460069006c00650073005c0043006f006d006d006f006e002000460069006c00650073005c004d006900630072006f0073006f006600740020005300680061007200650064005c004f0046004600490043004500310034005c00430075006c00740075007200650073005c004f00460046004900430045002e004f004400460000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = dba5a54cd1131f2a986b2c4b8c32bdfefe30019b6aa3ed649b941e2c39ddf681	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = d07a007f8a2be1d4716f15ad86b16d9bae906a9c50b6a51e49e222a3dc808b8d	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = b4d4db48a5f6fc425c335148b437b4bbc015e4cb3d171a5afb100554d1928b33	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 517216c7c40f2fe77b7bb67bab6627af06222024d9d1c469b33a871b262e33b4	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Control Panel\Desktop\WallpaperStyle = "10"	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe

Modifies registry class 3 IoCs

Processes:

312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dragonforce_encrypted	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dragonforce_encrypted\DefaultIcon	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dragonforce_encrypted\DefaultIcon\ = "C:\\Users\\Public\\icon.ico"	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe

pid	Process
2756	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

svchost.exe

pid	Process
480
2944	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exeWMIC.exeWMIC.exeWMIC.exe

description	pid	Process
Token: SeBackupPrivilege	2724	vssvc.exe
Token: SeRestorePrivilege	2724	vssvc.exe
Token: SeAuditPrivilege	2724	vssvc.exe
Token: SeCreateTokenPrivilege	2096	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2096	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2096	WMIC.exe
Token: SeSecurityPrivilege	2096	WMIC.exe
Token: SeTakeOwnershipPrivilege	2096	WMIC.exe
Token: SeLoadDriverPrivilege	2096	WMIC.exe
Token: SeSystemtimePrivilege	2096	WMIC.exe
Token: SeBackupPrivilege	2096	WMIC.exe
Token: SeRestorePrivilege	2096	WMIC.exe
Token: SeShutdownPrivilege	2096	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2096	WMIC.exe
Token: SeUndockPrivilege	2096	WMIC.exe
Token: SeManageVolumePrivilege	2096	WMIC.exe
Token: 31	2096	WMIC.exe
Token: 32	2096	WMIC.exe
Token: SeCreateTokenPrivilege	2096	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2096	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2096	WMIC.exe
Token: SeSecurityPrivilege	2096	WMIC.exe
Token: SeTakeOwnershipPrivilege	2096	WMIC.exe
Token: SeLoadDriverPrivilege	2096	WMIC.exe
Token: SeSystemtimePrivilege	2096	WMIC.exe
Token: SeBackupPrivilege	2096	WMIC.exe
Token: SeRestorePrivilege	2096	WMIC.exe
Token: SeShutdownPrivilege	2096	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2096	WMIC.exe
Token: SeUndockPrivilege	2096	WMIC.exe
Token: SeManageVolumePrivilege	2096	WMIC.exe
Token: 31	2096	WMIC.exe
Token: 32	2096	WMIC.exe
Token: SeCreateTokenPrivilege	1272	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1272	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1272	WMIC.exe
Token: SeSecurityPrivilege	1272	WMIC.exe
Token: SeTakeOwnershipPrivilege	1272	WMIC.exe
Token: SeLoadDriverPrivilege	1272	WMIC.exe
Token: SeSystemtimePrivilege	1272	WMIC.exe
Token: SeBackupPrivilege	1272	WMIC.exe
Token: SeRestorePrivilege	1272	WMIC.exe
Token: SeShutdownPrivilege	1272	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1272	WMIC.exe
Token: SeUndockPrivilege	1272	WMIC.exe
Token: SeManageVolumePrivilege	1272	WMIC.exe
Token: 31	1272	WMIC.exe
Token: 32	1272	WMIC.exe
Token: SeCreateTokenPrivilege	1272	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1272	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1272	WMIC.exe
Token: SeSecurityPrivilege	1272	WMIC.exe
Token: SeTakeOwnershipPrivilege	1272	WMIC.exe
Token: SeLoadDriverPrivilege	1272	WMIC.exe
Token: SeSystemtimePrivilege	1272	WMIC.exe
Token: SeBackupPrivilege	1272	WMIC.exe
Token: SeRestorePrivilege	1272	WMIC.exe
Token: SeShutdownPrivilege	1272	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1272	WMIC.exe
Token: SeUndockPrivilege	1272	WMIC.exe
Token: SeManageVolumePrivilege	1272	WMIC.exe
Token: 31	1272	WMIC.exe
Token: 32	1272	WMIC.exe
Token: SeCreateTokenPrivilege	2084	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 2824 wrote to memory of 2248	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	34
PID 2824 wrote to memory of 2248	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	34
PID 2824 wrote to memory of 2248	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	34
PID 2824 wrote to memory of 2248	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	34
PID 2248 wrote to memory of 2096	2248	cmd.exe	36
PID 2248 wrote to memory of 2096	2248	cmd.exe	36
PID 2248 wrote to memory of 2096	2248	cmd.exe	36
PID 2824 wrote to memory of 2216	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	37
PID 2824 wrote to memory of 2216	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	37
PID 2824 wrote to memory of 2216	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	37
PID 2824 wrote to memory of 2216	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	37
PID 2216 wrote to memory of 1272	2216	cmd.exe	39
PID 2216 wrote to memory of 1272	2216	cmd.exe	39
PID 2216 wrote to memory of 1272	2216	cmd.exe	39
PID 2824 wrote to memory of 2788	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	40
PID 2824 wrote to memory of 2788	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	40
PID 2824 wrote to memory of 2788	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	40
PID 2824 wrote to memory of 2788	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	40
PID 2788 wrote to memory of 2084	2788	cmd.exe	42
PID 2788 wrote to memory of 2084	2788	cmd.exe	42
PID 2788 wrote to memory of 2084	2788	cmd.exe	42
PID 2824 wrote to memory of 2852	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	43
PID 2824 wrote to memory of 2852	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	43
PID 2824 wrote to memory of 2852	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	43
PID 2824 wrote to memory of 2852	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	43
PID 2852 wrote to memory of 584	2852	cmd.exe	45
PID 2852 wrote to memory of 584	2852	cmd.exe	45
PID 2852 wrote to memory of 584	2852	cmd.exe	45
PID 2824 wrote to memory of 536	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	46
PID 2824 wrote to memory of 536	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	46
PID 2824 wrote to memory of 536	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	46
PID 2824 wrote to memory of 536	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	46
PID 536 wrote to memory of 2884	536	cmd.exe	48
PID 536 wrote to memory of 2884	536	cmd.exe	48
PID 536 wrote to memory of 2884	536	cmd.exe	48
PID 2824 wrote to memory of 2536	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	49
PID 2824 wrote to memory of 2536	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	49
PID 2824 wrote to memory of 2536	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	49
PID 2824 wrote to memory of 2536	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	49
PID 2536 wrote to memory of 2968	2536	cmd.exe	51
PID 2536 wrote to memory of 2968	2536	cmd.exe	51
PID 2536 wrote to memory of 2968	2536	cmd.exe	51
PID 2824 wrote to memory of 2956	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	52
PID 2824 wrote to memory of 2956	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	52
PID 2824 wrote to memory of 2956	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	52
PID 2824 wrote to memory of 2956	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	52
PID 2956 wrote to memory of 3056	2956	cmd.exe	54
PID 2956 wrote to memory of 3056	2956	cmd.exe	54
PID 2956 wrote to memory of 3056	2956	cmd.exe	54
PID 2824 wrote to memory of 2440	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	55
PID 2824 wrote to memory of 2440	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	55
PID 2824 wrote to memory of 2440	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	55
PID 2824 wrote to memory of 2440	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	55
PID 2440 wrote to memory of 476	2440	cmd.exe	57
PID 2440 wrote to memory of 476	2440	cmd.exe	57
PID 2440 wrote to memory of 476	2440	cmd.exe	57
PID 2824 wrote to memory of 1408	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	58
PID 2824 wrote to memory of 1408	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	58
PID 2824 wrote to memory of 1408	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	58
PID 2824 wrote to memory of 1408	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	58
PID 1408 wrote to memory of 2176	1408	cmd.exe	60
PID 1408 wrote to memory of 2176	1408	cmd.exe	60
PID 1408 wrote to memory of 2176	1408	cmd.exe	60
PID 2824 wrote to memory of 3028	2824	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	61

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
"C:\Users\Admin\AppData\Local\Temp\312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2756
- C:\Users\Admin\AppData\Local\Temp\312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
  "C:\Users\Admin\AppData\Local\Temp\312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe"
  2⤵
  - Drops startup file
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F72CF7EA-7493-464E-A55E-292401F395F1}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F72CF7EA-7493-464E-A55E-292401F395F1}'" delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2096
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{75AE86CA-2C1B-4D7A-B54D-F43855F421BF}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{75AE86CA-2C1B-4D7A-B54D-F43855F421BF}'" delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1272
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{70094075-C182-43EE-AF7E-F06AA62E2781}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{70094075-C182-43EE-AF7E-F06AA62E2781}'" delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2084
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{014CA708-D618-4612-8FF8-A40ECF2E52CE}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{014CA708-D618-4612-8FF8-A40ECF2E52CE}'" delete
      4⤵
      PID:584
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{394A95EA-FCC2-4073-9C54-E7132D1A5092}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{394A95EA-FCC2-4073-9C54-E7132D1A5092}'" delete
      4⤵
      PID:2884
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C1EF26D8-A501-4076-8099-6F710831F3A6}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C1EF26D8-A501-4076-8099-6F710831F3A6}'" delete
      4⤵
      PID:2968
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{97B62EEC-501B-46A2-9F30-E967C0DE95C5}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{97B62EEC-501B-46A2-9F30-E967C0DE95C5}'" delete
      4⤵
      PID:3056
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2EF9212A-CA4A-44D3-B3BA-7A9AD6A2910D}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2EF9212A-CA4A-44D3-B3BA-7A9AD6A2910D}'" delete
      4⤵
      PID:476
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A64174B0-53C9-47FB-9288-730A7A89F1E1}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A64174B0-53C9-47FB-9288-730A7A89F1E1}'" delete
      4⤵
      PID:2176
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F80E821A-6036-405C-86EB-EF8A1DD5628B}'" delete
    3⤵
    PID:3028
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F80E821A-6036-405C-86EB-EF8A1DD5628B}'" delete
      4⤵
      PID:2208
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{313FDAFD-F61D-4A84-8E65-E2D2BEC9AE2E}'" delete
    3⤵
    PID:2400
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{313FDAFD-F61D-4A84-8E65-E2D2BEC9AE2E}'" delete
      4⤵
      PID:2392
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3351451D-D090-4AEB-AE0E-6EF304C18F57}'" delete
    3⤵
    PID:444
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3351451D-D090-4AEB-AE0E-6EF304C18F57}'" delete
      4⤵
      PID:868
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CA9C5ADD-72EA-4FB2-91B7-F1C8AE54F079}'" delete
    3⤵
    PID:1992
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CA9C5ADD-72EA-4FB2-91B7-F1C8AE54F079}'" delete
      4⤵
      PID:1256
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6E0405F2-9109-4C09-9359-EE87C9749EBE}'" delete
    3⤵
    PID:1412
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6E0405F2-9109-4C09-9359-EE87C9749EBE}'" delete
      4⤵
      PID:1044
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{79BA3819-6CD6-4872-A528-1AC6DD36A8D0}'" delete
    3⤵
    PID:696
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{79BA3819-6CD6-4872-A528-1AC6DD36A8D0}'" delete
      4⤵
      PID:944
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E6A0EDC4-069D-4D73-A6E3-B85C6ED7C9D2}'" delete
    3⤵
    PID:3008
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E6A0EDC4-069D-4D73-A6E3-B85C6ED7C9D2}'" delete
      4⤵
      PID:1368
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2673DA65-64CD-43C1-97AB-B43865D42B72}'" delete
    3⤵
    PID:3064
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2673DA65-64CD-43C1-97AB-B43865D42B72}'" delete
      4⤵
      PID:2088
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{47F11F4B-3E20-4E68-8AEB-A33E1FDC4F6A}'" delete
    3⤵
    PID:2432
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{47F11F4B-3E20-4E68-8AEB-A33E1FDC4F6A}'" delete
      4⤵
      PID:1292

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
- Suspicious behavior: LoadsDriver
PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\readme.txt

Filesize
1KB

MD5
659bf6cab5b73cba088010a6940c50c2

SHA1
63cecc78980a8bb6aa6aadc6194c2c45e4083ca3

SHA256
5ad50505bdb22d2969a71649d13cc56a6c7c4fc81de2e74052907e5993171276

SHA512
b3cfaffb23e6f388d01015e3f76141a9280a747980012452c10838ab9a76a650ccfb48c545b7ed8fc9423dc29ccdd8e461d2e7fe49e9db7ae0039eb0c5681398

Download Submit
C:\Users\Public\log.log

Filesize
3KB

MD5
efe766d2ac984745808a10d3372e3f7f

SHA1
490e262d111988e4078e36deac6776858b0a295e

SHA256
d1e49d007364400a1dc3211adff7bc62b30c0c2dc3ed66b446a3355d40a016e9

SHA512
e05f7b8a44a469a61e21241608c57254a259ccc74bb2633927072fd3096d9423d5103baa2f1ecc43f9a76c8beea9836ab98a5f96ea24ce71e2405376130dd107

Download Submit