dragonforce | 312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83

General

Target

312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Size

465KB
MD5

15634dc79981e7fba25fb8530cedb981
SHA1

a4bdd6cef0ed43a4d08f373edc8e146bb15ca0f9
SHA256

312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83
SHA512

daa63d5a3a948f4416d61eb4bf086f8cc921f24187ffcdb406751cc8102114f826957a249830e28220a3c73e11388706152851106794529541e1e2020d695ece
SSDEEP

12288:HZph8TCfS9dQ1GH4wKcmY8FYkEv+NT5XqU6KDBxE:HZpCTCfS9dQ104wdV8FImT5XqiS

Score

10^/10

dragonforce credential_access discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\ProgramData\readme.txt

Family

dragonforce

Ransom Note

Hello! Your files have been stolen from your network and encrypted with a strong algorithm. We work for money and are not associated with politics. All you need to do is contact us and pay. --- Our communication process: 1. You contact us. 2. We send you a list of files that were stolen. 3. We decrypt 1 file to confirm that our decryptor works. 4. We agree on the amount, which must be paid using BTC. 5. We delete your files, we give you a decryptor. 6. We give you a detailed report on how we compromised your company, and recommendations on how to avoid such situations in the future. --- Client area (use this site to contact us): Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion >>> Use this ID: C2856ADC257746633E24BD08F98CAB0C to begin the recovery process. * In order to access the site, you will need Tor Browser, you can download it from this link: https://www.torproject.org/ --- Additional contacts: Support Tox: 1C054B722BCBF41A918EF3C485712742088F5C3E81B2FDD91ADEA6BA55F4A856D90A65E99D20 --- Recommendations: DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. --- Important: If you refuse to pay or do not get in touch with us, we start publishing your files. 17/07/2024 00:00 UTC the decryptor will be destroyed and the files will be published on our blog. Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion Sincerely, 01000100 01110010 01100001 01100111 01101111 01101110 01000110 01101111 01110010 01100011 01100101

URLs

http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion

http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion

Signatures

DragonForce
Ransomware family based on Lockbit that was first observed in November 2023.
ransomware dragonforce
Dragonforce family
dragonforce
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

Processes:

312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 22 IoCs

Processes:

312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe

description	ioc	process
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe

Drops file in Program Files directory 64 IoCs

Processes:

312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-pl.xrm-ms	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare_col.hxt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ro-ro\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\ui-strings.js	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ms_get.svg	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\web_documentcloud_logo.png	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\COPYRIGHT	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File created	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\comment.svg	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql90.xsl	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\tr-tr\ui-strings.js	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File created	C:\Program Files\Common Files\microsoft shared\ink\el-GR\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access_output\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File created	C:\Program Files (x86)\Internet Explorer\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ul-oob.xrm-ms	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-ae\ui-strings.js	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Mozilla Firefox\platform.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\root\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7ES.LEX	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\gu.pak.DATA	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-focus_32.svg	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.MSOUC.16.1033.hxn	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\msedge_7z.data	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\uk.pak.DATA	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-si\ui-strings.js	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAB.TTF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ja.pak	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-variant2.gif	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\uk-ua\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_xml.luac	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover.png	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-phn.xrm-ms	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN075.XML	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\manifest.json	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrdeulm.dat	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\adcvbs.inc	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARA.TTF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon_hover_2x.png	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\WINGDNG2.TTF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\svgCheckboxUnselected.svg	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hu-hu\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe

Modifies data under HKEY_USERS 44 IoCs

Processes:

312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00500072006f006700720061006d0044006100740061005c00550053004f005300680061007200650064005c004c006f00670073005c00530079007300740065006d005c00550070006400610074006500530065007300730069006f006e004f0072006300680065007300740072006100740069006f006e002e00650034006500390038003200360031002d0034003700610035002d0034003600610065002d0061003700640062002d003200610061006500350062006500360035003400340066002e0031002e00650074006c0000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 5fbd38a598a578554a64a35c3afcb26a173b7430f46e6f2201b9d80a62c38646	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 624e4e31c4bf946c7713d7cf58e6bcda2db84dfe21e78228178e81e1f1fce79f	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00350033006200330039006500380038002d0031003800630034002d0031003100650061002d0061003800310031002d003000300030006400330061006100340036003900320062007d002e0054004d002e0062006c00660000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 1fb76b6be84e3232d3d720557f7b98d19f8f10aebb3dca364d8025707fd7c819	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 18f70b02612411d69e86e662d87346818d348ef98bacb1ff6688af3cafc15f94	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = cbaabe9043826524d19d72bd34a6b48267e2871e8258909ca2d7e3410295b738	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Key created	\REGISTRY\USER\.DEFAULT\Software	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = aec74133926f0d95259e0e83ee29907269f6d8be25bf2447e9037b07b85eece1	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 595340f6074f806b6af5d075657f5360482ba651b6325eff190dcd9e12ebd9e1	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 8ea7d99b3adf7882d96d6c01ff7ce589a1f9d292a2eebd8a34f9f1dcfcecd689	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = a916f8b7ec975aa1b7426f88f81ddc6359e54b3ef3f942b4c9cdf8dcd2c35d47	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = bdd7edb4f341e981373f202aa6261c12a108853890a982365e254ab593a1f76e	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00440075006d00700053007400610063006b002e006c006f0067002e0074006d00700000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 6aa11b7b5de7540172cabeff487a54564913e4c423cf101893e67775dd7a767e	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = fc950bf6067899c6a86a409adbf094ba99bcacef919583aab56c63933ed30985	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = f24f6e6bd2422370a61c601511d44e94b6a5ffa1bb68e977720e8276fb64ca5f	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00500072006f006700720061006d0044006100740061005c00550053004f005300680061007200650064005c004c006f00670073005c00530079007300740065006d005c0057007500500072006f00760069006400650072002e00310062003100330036003300330037002d0035006600390063002d0034003700310034002d0062003500320039002d006100640065006200610033003100340031003100340033002e0031002e00650074006c0000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 48474cec147a1fc3da5ef609f1514a28ced62cdc7d6950e9c121e336f0f9c23e	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 17d7cd80fbefe5980d12bbff528e397f7689de59cef275ec5fdb408348d08b5e	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 465c0ca0641274d4551d8a19e16d285d522576d089cb18183c1e1b67f013d7ad	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = caf22066afebcd48a857032a19b89f8544760711f8b06ee7f9035b2fbd098ccc	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 0e41023ed828858a6e260b83323a56d05effa185df1ce8a30ac1f1f1bc109b89	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004d006900630072006f0073006f00660074005c00470061006d0065004400560052005c004b006e006f0077006e00470061006d0065004c006900730074002e00620069006e0000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = b567ebf1bd6ed251e88c66de79ddf7be5f728a032d1ad5fbd2ff18dbc70c1b36	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "2"	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = c80f90c3d377ad7d53232a73bdc487abc6f77d092233e08e1cedabb32e815736	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700320000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 91ef37550c68c6139a6673d1a93dc9a197d07f54540c7065523886cd91c8eecd	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = 0c130000fca245af883adb01	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00500072006f006700720061006d0044006100740061005c00550053004f005300680061007200650064005c004c006f00670073005c00530079007300740065006d005c004d006f00550073006f0043006f007200650057006f0072006b00650072002e00360061006500650034003200610036002d0061006300640039002d0034003200650061002d0062003300610030002d006400340030003500650039003900300036003400330039002e0031002e00650074006c0000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = d6994651c0834a235d5a5b3e5f591dd7d2be97f454d70440386dd5252ce8cb8c	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c0043006f006e006e0065006300740065006400440065007600690063006500730050006c006100740066006f0072006d005c004c002e00410064006d0069006e005c004100630074006900760069007400690065007300430061006300680065002e006400620000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = d2e339725415d661075bc9eeef19a20090d859817d9099560e81deb6ad50dd51	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 003b0cdb3f0a1633cc87d1e9c146707a8d4ffc2d02f98e124960fe8cbb53cbdf	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00350033006200330039006500380038002d0031003800630034002d0031003100650061002d0061003800310031002d003000300030006400330061006100340036003900320062007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e0044004100540000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00350033006200330039006500380038002d0031003800630034002d0031003100650061002d0061003800310031002d003000300030006400330061006100340036003900320062007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe

pid	process
2496	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
2496	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

656

pid	process
656

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

vssvc.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	3212	vssvc.exe
Token: SeRestorePrivilege	3212	vssvc.exe
Token: SeAuditPrivilege	3212	vssvc.exe
Token: SeCreateTokenPrivilege	5040	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	5040	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5040	WMIC.exe
Token: SeSecurityPrivilege	5040	WMIC.exe
Token: SeTakeOwnershipPrivilege	5040	WMIC.exe
Token: SeLoadDriverPrivilege	5040	WMIC.exe
Token: SeSystemtimePrivilege	5040	WMIC.exe
Token: SeBackupPrivilege	5040	WMIC.exe
Token: SeRestorePrivilege	5040	WMIC.exe
Token: SeShutdownPrivilege	5040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5040	WMIC.exe
Token: SeUndockPrivilege	5040	WMIC.exe
Token: SeManageVolumePrivilege	5040	WMIC.exe
Token: 31	5040	WMIC.exe
Token: 32	5040	WMIC.exe
Token: SeCreateTokenPrivilege	5040	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	5040	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5040	WMIC.exe
Token: SeSecurityPrivilege	5040	WMIC.exe
Token: SeTakeOwnershipPrivilege	5040	WMIC.exe
Token: SeLoadDriverPrivilege	5040	WMIC.exe
Token: SeSystemtimePrivilege	5040	WMIC.exe
Token: SeBackupPrivilege	5040	WMIC.exe
Token: SeRestorePrivilege	5040	WMIC.exe
Token: SeShutdownPrivilege	5040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5040	WMIC.exe
Token: SeUndockPrivilege	5040	WMIC.exe
Token: SeManageVolumePrivilege	5040	WMIC.exe
Token: 31	5040	WMIC.exe
Token: 32	5040	WMIC.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).execmd.exe

description	pid	process	target process
PID 4876 wrote to memory of 1540	4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	cmd.exe
PID 4876 wrote to memory of 1540	4876	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe	cmd.exe
PID 1540 wrote to memory of 5040	1540	cmd.exe	WMIC.exe
PID 1540 wrote to memory of 5040	1540	cmd.exe	WMIC.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
"C:\Users\Admin\AppData\Local\Temp\312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2496
- C:\Users\Admin\AppData\Local\Temp\312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe
  "C:\Users\Admin\AppData\Local\Temp\312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83(1).exe"
  2⤵
  - Drops startup file
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2B3B0DD8-321D-4347-A3B9-6B53A3551943}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2B3B0DD8-321D-4347-A3B9-6B53A3551943}'" delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

2

T1555

Credentials from Web Browsers

1

T1555.003

Windows Credential Manager

1

T1555.004

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Browser Information Discovery

1

T1217

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\readme.txt

Filesize
1KB

MD5
41eba2395c4195d40c6aad42b7478d42

SHA1
61a8fb00c3a9d607c82fe249e1eac5fd32b249dd

SHA256
913f3e074709c8893088d45523fa7aa3588a3b3816b1827ad52351970f0e23d7

SHA512
56b871b4764265859ef54da5fb78532943b73987abe52db2d13e4245c1e36b9d71ba4f008c9a6ccbfdb25ac7445e0f3304b907a8533ca20188c0ea22259b527f

Download Submit
C:\Users\Public\log.log

Filesize
4KB

MD5
d7835a3a20f4bf8f57663aacb6a96038

SHA1
32028de27305e1105fb8488878adcbbe873df3e6

SHA256
767958c586834d8c3a8f3cf6225d88ff9cbf9ae11f923cc610c2e19927c73ff7

SHA512
b8653f4b3b3a0a6054b57154ec30d2122f4dd178f2ac625ebc1b5d5b06cdadb5addbea3d3beb0f6c0f8b2f217b6d098c85627d3e888837d5a3fb24d4c7c82bdc

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads