dragonforce | 631a8a6c4047d335bdd6a169236fa8a77ab001725e1123487f7cd8f4b31ce348

Analysis

max time kernel
140s
max time network
72s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
02/12/2024, 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Size

465KB
MD5

15634dc79981e7fba25fb8530cedb981
SHA1

a4bdd6cef0ed43a4d08f373edc8e146bb15ca0f9
SHA256

312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83
SHA512

daa63d5a3a948f4416d61eb4bf086f8cc921f24187ffcdb406751cc8102114f826957a249830e28220a3c73e11388706152851106794529541e1e2020d695ece
SSDEEP

12288:HZph8TCfS9dQ1GH4wKcmY8FYkEv+NT5XqU6KDBxE:HZpCTCfS9dQ104wdV8FImT5XqiS

Score

10^/10

dragonforce credential_access discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

dragonforce

Ransom Note

Hello! Your files have been stolen from your network and encrypted with a strong algorithm. We work for money and are not associated with politics. All you need to do is contact us and pay. --- Our communication process: 1. You contact us. 2. We send you a list of files that were stolen. 3. We decrypt 1 file to confirm that our decryptor works. 4. We agree on the amount, which must be paid using BTC. 5. We delete your files, we give you a decryptor. 6. We give you a detailed report on how we compromised your company, and recommendations on how to avoid such situations in the future. --- Client area (use this site to contact us): Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion >>> Use this ID: C2856ADC2577466361BC9A1E67905DB7 to begin the recovery process. * In order to access the site, you will need Tor Browser, you can download it from this link: https://www.torproject.org/ --- Additional contacts: Support Tox: 1C054B722BCBF41A918EF3C485712742088F5C3E81B2FDD91ADEA6BA55F4A856D90A65E99D20 --- Recommendations: DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. --- Important: If you refuse to pay or do not get in touch with us, we start publishing your files. 17/07/2024 00:00 UTC the decryptor will be destroyed and the files will be published on our blog. Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion Sincerely, 01000100 01110010 01100001 01100111 01101111 01101110 01000110 01101111 01110010 01100011 01100101

URLs

http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion

http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion

Signatures

DragonForce
Ransomware family based on Lockbit that was first observed in November 2023.
ransomware dragonforce
Dragonforce family
dragonforce
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 33 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Searches\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\25UY7HZX\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CBCNU6WZ\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RTJA0BV0\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JMFEWY8E\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\Public\\wallpaper_white.png"	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHSRN.DAT	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Anadyr	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\HEADING.JPG	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Oriel.thmx	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10358_.GIF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECRECL.ICO	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dhaka	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_ja.jar	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Bears.jpg	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\id.pak	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Salta	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\validation.js	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\IPML.ICO	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01354_.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\BREEZE.WAV	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-queries.jar	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert.css	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107314.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00367_.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\St_Johns	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309904.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_mid_over.gif	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107452.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00668_.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\PREVIEW.GIF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Yakutsk	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099173.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-static.png	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02077_.GIF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14528_.GIF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\vlc.mo	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099146.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00444_.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Newsprint.eftx	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAIL.DPV	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02134_.GIF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\vlc.mo	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_SelectionSubpicture.png	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\CGMIMP32.FLT	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL108.XML	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.HTM	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WORDIRM.XML	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099193.GIF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281008.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01015_.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST5EDT	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00260_.WMF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKACCS.ICO	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\PLUS.GIF	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
File created	C:\Program Files\Microsoft Games\Purble Place\de-DE\readme.txt	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\WallpaperStyle = "10"	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00500072006f006700720061006d0044006100740061005c004d006900630072006f0073006f00660074005c004f006600660069006300650053006f00660074007700610072006500500072006f00740065006300740069006f006e0050006c006100740066006f0072006d005c0074006f006b0065006e0073002e0064006100740000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00500072006f006700720061006d0044006100740061005c004d006900630072006f0073006f00660074005c004e006500740077006f0072006b005c0044006f0077006e006c006f0061006400650072005c0071006d006700720030002e0064006100740000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Owner = b80b00004061a622dd44db01	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = a124c323e934657082c773595f93597d5f5c06147f63fe8d0ffb4598ddb3be3a	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 2ef8bcee9afee7ba712edd54fe3ede73251e7c5b15c12e6e5a06b1ad83cf0635	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 336be2c8ba5704a41d94b7d36bc58f228e871f4cfc420f01844b7a631f068ba1	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d002e0062006c00660000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00500072006f006700720061006d002000460069006c00650073005c0043006f006d006d006f006e002000460069006c00650073005c004d006900630072006f0073006f006600740020005300680061007200650064005c004f0046004600490043004500310034005c00430075006c00740075007200650073005c004f00460046004900430045002e004f004400460000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = ed556e27473d9f63a6c270907f149efecfecf45b56eb8c2563c6e728d7abf5cb	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 821edf7748b9be5ca1995833be749530e50cdbcc60b5cf513d52315598832dac	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "10"	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Control Panel\Desktop\WallPaper = "C:\\Users\\Public\\wallpaper_white.png"	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Control Panel\Desktop\WallpaperStyle = "10"	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence = "1"	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 920e927f0a343c8ecb5816629da57f1ec5b2dbf7d7320f5cfaf99e6ed5a6e9dc	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = c5de684ef108085336838705f3641ab7f7490a544b01cb366213e864275acd6a	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallPaper = "C:\\Users\\Public\\wallpaper_white.png"	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e0044004100540000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 28cd05011feea7c78d3fe13b37f9608a74d9390aea650d16c38952a7449fd2ff	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = aa50f1110dc066a81148d56056515ff3b9266a22439811c7afaff6e01cd3c8f0	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Control Panel\Desktop\WallpaperStyle = "10"	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = bf6505ba74c6b6047cec13eb66035fddf1ab100a53c085a069a8b2717db58022	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 75adf11568f9fe1296575e4d896f4af64176d4f19c2d210a540e84aaf5fd7177	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 66f331c79391a20003f80f952a956196c3f8ee73c67bb6adb4f443d02738359a	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence = "2"	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700320000000000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 4ca76ae808a161bc09a5ab1f8df65c2b5c93898a255689cf7fa7d4f7f66ff413	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 132bb7950065c1a6f59ff6cb180f3eaa894d3be051e4c5adff0e01fbe3b5426a	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 47d006b6b8310ac71abccc2ff43b5b2c9b52f50ca1576b6293a76eccfa541dc0	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Control Panel\Desktop\WallPaper = "C:\\Users\\Public\\wallpaper_white.png"	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 602c0fd04a73dd5aeec381334750f7c181787b213401725ade40418265812ad9	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 7a87a8c72f2eccc5eff251bafb7ecc78eeb8c1eb271bcad8beb12dd5a7d0031a	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = f1371da2a3dcc5e8ea9aa0f80dc8b9d3ae227ec497eee6392f621b53bef06797	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dragonforce_encrypted\DefaultIcon\ = "C:\\Users\\Public\\icon.ico"	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dragonforce_encrypted	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dragonforce_encrypted\DefaultIcon	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1232	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
476	Process not Found
564	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	3020	vssvc.exe
Token: SeRestorePrivilege	3020	vssvc.exe
Token: SeAuditPrivilege	3020	vssvc.exe
Token: SeCreateTokenPrivilege	2264	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2264	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2264	WMIC.exe
Token: SeSecurityPrivilege	2264	WMIC.exe
Token: SeTakeOwnershipPrivilege	2264	WMIC.exe
Token: SeLoadDriverPrivilege	2264	WMIC.exe
Token: SeSystemtimePrivilege	2264	WMIC.exe
Token: SeBackupPrivilege	2264	WMIC.exe
Token: SeRestorePrivilege	2264	WMIC.exe
Token: SeShutdownPrivilege	2264	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2264	WMIC.exe
Token: SeUndockPrivilege	2264	WMIC.exe
Token: SeManageVolumePrivilege	2264	WMIC.exe
Token: 31	2264	WMIC.exe
Token: 32	2264	WMIC.exe
Token: SeCreateTokenPrivilege	2264	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2264	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2264	WMIC.exe
Token: SeSecurityPrivilege	2264	WMIC.exe
Token: SeTakeOwnershipPrivilege	2264	WMIC.exe
Token: SeLoadDriverPrivilege	2264	WMIC.exe
Token: SeSystemtimePrivilege	2264	WMIC.exe
Token: SeBackupPrivilege	2264	WMIC.exe
Token: SeRestorePrivilege	2264	WMIC.exe
Token: SeShutdownPrivilege	2264	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2264	WMIC.exe
Token: SeUndockPrivilege	2264	WMIC.exe
Token: SeManageVolumePrivilege	2264	WMIC.exe
Token: 31	2264	WMIC.exe
Token: 32	2264	WMIC.exe
Token: SeCreateTokenPrivilege	2648	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2648	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2648	WMIC.exe
Token: SeSecurityPrivilege	2648	WMIC.exe
Token: SeTakeOwnershipPrivilege	2648	WMIC.exe
Token: SeLoadDriverPrivilege	2648	WMIC.exe
Token: SeSystemtimePrivilege	2648	WMIC.exe
Token: SeBackupPrivilege	2648	WMIC.exe
Token: SeRestorePrivilege	2648	WMIC.exe
Token: SeShutdownPrivilege	2648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2648	WMIC.exe
Token: SeUndockPrivilege	2648	WMIC.exe
Token: SeManageVolumePrivilege	2648	WMIC.exe
Token: 31	2648	WMIC.exe
Token: 32	2648	WMIC.exe
Token: SeCreateTokenPrivilege	2648	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2648	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2648	WMIC.exe
Token: SeSecurityPrivilege	2648	WMIC.exe
Token: SeTakeOwnershipPrivilege	2648	WMIC.exe
Token: SeLoadDriverPrivilege	2648	WMIC.exe
Token: SeSystemtimePrivilege	2648	WMIC.exe
Token: SeBackupPrivilege	2648	WMIC.exe
Token: SeRestorePrivilege	2648	WMIC.exe
Token: SeShutdownPrivilege	2648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2648	WMIC.exe
Token: SeUndockPrivilege	2648	WMIC.exe
Token: SeManageVolumePrivilege	2648	WMIC.exe
Token: 31	2648	WMIC.exe
Token: 32	2648	WMIC.exe
Token: SeCreateTokenPrivilege	2108	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2908	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	34
PID 3000 wrote to memory of 2908	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	34
PID 3000 wrote to memory of 2908	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	34
PID 3000 wrote to memory of 2908	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	34
PID 2908 wrote to memory of 2264	2908	cmd.exe	36
PID 2908 wrote to memory of 2264	2908	cmd.exe	36
PID 2908 wrote to memory of 2264	2908	cmd.exe	36
PID 3000 wrote to memory of 2768	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	37
PID 3000 wrote to memory of 2768	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	37
PID 3000 wrote to memory of 2768	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	37
PID 3000 wrote to memory of 2768	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	37
PID 2768 wrote to memory of 2648	2768	cmd.exe	39
PID 2768 wrote to memory of 2648	2768	cmd.exe	39
PID 2768 wrote to memory of 2648	2768	cmd.exe	39
PID 3000 wrote to memory of 2096	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	40
PID 3000 wrote to memory of 2096	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	40
PID 3000 wrote to memory of 2096	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	40
PID 3000 wrote to memory of 2096	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	40
PID 2096 wrote to memory of 2108	2096	cmd.exe	42
PID 2096 wrote to memory of 2108	2096	cmd.exe	42
PID 2096 wrote to memory of 2108	2096	cmd.exe	42
PID 3000 wrote to memory of 2536	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	43
PID 3000 wrote to memory of 2536	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	43
PID 3000 wrote to memory of 2536	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	43
PID 3000 wrote to memory of 2536	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	43
PID 2536 wrote to memory of 1168	2536	cmd.exe	45
PID 2536 wrote to memory of 1168	2536	cmd.exe	45
PID 2536 wrote to memory of 1168	2536	cmd.exe	45
PID 3000 wrote to memory of 1044	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	46
PID 3000 wrote to memory of 1044	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	46
PID 3000 wrote to memory of 1044	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	46
PID 3000 wrote to memory of 1044	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	46
PID 1044 wrote to memory of 1676	1044	cmd.exe	48
PID 1044 wrote to memory of 1676	1044	cmd.exe	48
PID 1044 wrote to memory of 1676	1044	cmd.exe	48
PID 3000 wrote to memory of 2408	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	49
PID 3000 wrote to memory of 2408	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	49
PID 3000 wrote to memory of 2408	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	49
PID 3000 wrote to memory of 2408	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	49
PID 2408 wrote to memory of 2160	2408	cmd.exe	51
PID 2408 wrote to memory of 2160	2408	cmd.exe	51
PID 2408 wrote to memory of 2160	2408	cmd.exe	51
PID 3000 wrote to memory of 2516	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	52
PID 3000 wrote to memory of 2516	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	52
PID 3000 wrote to memory of 2516	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	52
PID 3000 wrote to memory of 2516	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	52
PID 2516 wrote to memory of 1148	2516	cmd.exe	54
PID 2516 wrote to memory of 1148	2516	cmd.exe	54
PID 2516 wrote to memory of 1148	2516	cmd.exe	54
PID 3000 wrote to memory of 1932	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	55
PID 3000 wrote to memory of 1932	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	55
PID 3000 wrote to memory of 1932	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	55
PID 3000 wrote to memory of 1932	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	55
PID 1932 wrote to memory of 1872	1932	cmd.exe	57
PID 1932 wrote to memory of 1872	1932	cmd.exe	57
PID 1932 wrote to memory of 1872	1932	cmd.exe	57
PID 3000 wrote to memory of 2692	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	58
PID 3000 wrote to memory of 2692	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	58
PID 3000 wrote to memory of 2692	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	58
PID 3000 wrote to memory of 2692	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	58
PID 2692 wrote to memory of 2992	2692	cmd.exe	60
PID 2692 wrote to memory of 2992	2692	cmd.exe	60
PID 2692 wrote to memory of 2992	2692	cmd.exe	60
PID 3000 wrote to memory of 1420	3000	312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe	61

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
"C:\Users\Admin\AppData\Local\Temp\312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1232
- C:\Users\Admin\AppData\Local\Temp\312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
  "C:\Users\Admin\AppData\Local\Temp\312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe"
  2⤵
  - Drops startup file
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E069A50B-4677-4EFC-BBA4-0B146896D635}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E069A50B-4677-4EFC-BBA4-0B146896D635}'" delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2264
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D2AAF6AE-BF4D-45CD-A04C-0BEFD44E7053}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D2AAF6AE-BF4D-45CD-A04C-0BEFD44E7053}'" delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2648
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C1326537-1510-4283-A8A8-5E899D2D7407}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C1326537-1510-4283-A8A8-5E899D2D7407}'" delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2108
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EA740D83-F31E-4066-9A9F-562BB0076E47}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EA740D83-F31E-4066-9A9F-562BB0076E47}'" delete
      4⤵
      PID:1168
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{043869AD-442E-4953-A9F1-63B2631D10C7}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1044
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{043869AD-442E-4953-A9F1-63B2631D10C7}'" delete
      4⤵
      PID:1676
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{77F6EAD6-2B79-4571-848B-E297C18B14D5}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{77F6EAD6-2B79-4571-848B-E297C18B14D5}'" delete
      4⤵
      PID:2160
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C9DEE5C4-A860-475A-8AF4-2E735A8E8E6A}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C9DEE5C4-A860-475A-8AF4-2E735A8E8E6A}'" delete
      4⤵
      PID:1148
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6285DFB1-A11D-43CD-8F8A-49E273581552}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6285DFB1-A11D-43CD-8F8A-49E273581552}'" delete
      4⤵
      PID:1872
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{76BA5318-71CC-44D0-9EB2-F1ADD3236F72}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{76BA5318-71CC-44D0-9EB2-F1ADD3236F72}'" delete
      4⤵
      PID:2992
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6A13D77C-3B8B-4D66-8EC9-78ECAE56EFC3}'" delete
    3⤵
    PID:1420
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6A13D77C-3B8B-4D66-8EC9-78ECAE56EFC3}'" delete
      4⤵
      PID:264
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9FD587E5-6373-4ADB-A8B2-6478FE129FEB}'" delete
    3⤵
    PID:2168
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9FD587E5-6373-4ADB-A8B2-6478FE129FEB}'" delete
      4⤵
      PID:2148
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{908CFA86-110D-45AF-A880-8CC044D5BBF7}'" delete
    3⤵
    PID:2140
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{908CFA86-110D-45AF-A880-8CC044D5BBF7}'" delete
      4⤵
      PID:2220
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5707A7FF-F8CB-4410-A576-785888774343}'" delete
    3⤵
    PID:2156
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5707A7FF-F8CB-4410-A576-785888774343}'" delete
      4⤵
      PID:2392
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0B5E8C62-CCDF-452A-8F61-CD88FC678D52}'" delete
    3⤵
    PID:1272
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0B5E8C62-CCDF-452A-8F61-CD88FC678D52}'" delete
      4⤵
      PID:2176
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6AAB0200-AA60-4E20-A6B0-C7BE2397087C}'" delete
    3⤵
    PID:2528
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6AAB0200-AA60-4E20-A6B0-C7BE2397087C}'" delete
      4⤵
      PID:948
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E8CBA30E-CE08-4BCF-A683-18F009D44C60}'" delete
    3⤵
    PID:2544
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E8CBA30E-CE08-4BCF-A683-18F009D44C60}'" delete
      4⤵
      PID:2812
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4BFC85ED-F021-42A1-BF3B-A27F2748F299}'" delete
    3⤵
    PID:2348
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4BFC85ED-F021-42A1-BF3B-A27F2748F299}'" delete
      4⤵
      PID:1552
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{68C97A87-5C3B-400A-A9A5-1A79E908C25E}'" delete
    3⤵
    PID:820
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{68C97A87-5C3B-400A-A9A5-1A79E908C25E}'" delete
      4⤵
      PID:1004

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
- Suspicious behavior: LoadsDriver
PID:564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\readme.txt

Filesize
1KB

MD5
781378c861f3fccdc1f0fd312a45544d

SHA1
8d6465502fdf9dd210ef81eb18b2e71262d344ad

SHA256
5ac255ddedd2b3c71ae365342120a9b14a25f0869f99229064db2f995c7cc3c9

SHA512
701a2e854cc318bf1cda6d738d39921baff34e88aa5485dd3a0bd13b6765c3e32d47115fa0f95e31c8e786a3207ade7e4f4417a427491cf71a58d94dfd7072fe

Download Submit
C:\Users\Public\log.log

Filesize
4KB

MD5
9bbfa9527c57a3a521a72d449bff51bc

SHA1
f423307f3516d2be164fb82d448840f78fe4fb5b

SHA256
d25a6f1040fd86ec1d64930d5961a2ad1b6ff16c6014750bf580109e097d38bd

SHA512
4157f288e7674068f0ebf2f7c72f8d2fdd0a3f6ea556e9fe9e99eaf5f63d0f2b124654452272e0f0ca7b98e51b8ec920d3ef05f800b663ec6e60a611c76ae4e0

Download Submit