dragonforce | d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9

Analysis

max time kernel
129s
max time network
50s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18/02/2025, 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
Size

465KB
MD5

9a218d69ecafe65eae264d2fdb52f1aa
SHA1

196c08fbab4119d75afb209a05999ce269ffe3cf
SHA256

d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9
SHA512

33d4cea92b6e4bd6bd96433e7f1d97f0e6461d6f468096d9591c2c78d088ab2de081a7ea4fdbff8fa2941a0a7e4f6e1e940ebcbb2a60309c9157e255699eab84
SSDEEP

12288:HZph8TCQS9dQ1GH4wKcmY8FYkEv+NT5XqU6KDBxE:HZpCTCQS9dQ104wdV8FImT5XqiS

Score

10^/10

dragonforce discovery ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

dragonforce

Ransom Note

Hello! Your files have been stolen from your network and encrypted with a strong algorithm. We work for money and are not associated with politics. All you need to do is contact us and pay. --- Our communication process: 1. You contact us. 2. We send you a list of files that were stolen. 3. We decrypt 1 file to confirm that our decryptor works. 4. We agree on the amount, which must be paid using BTC. 5. We delete your files, we give you a decryptor. 6. We give you a detailed report on how we compromised your company, and recommendations on how to avoid such situations in the future. --- Client area (use this site to contact us): Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion >>> Use this ID: C2856ADC25774663E7370B9624F73E2B to begin the recovery process. * In order to access the site, you will need Tor Browser, you can download it from this link: https://www.torproject.org/ --- Additional contacts: Support Tox: 1C054B722BCBF41A918EF3C485712742088F5C3E81B2FDD91ADEA6BA55F4A856D90A65E99D20 --- Recommendations: DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. --- Important: If you refuse to pay or do not get in touch with us, we start publishing your files. 17/07/2024 00:00 UTC the decryptor will be destroyed and the files will be published on our blog. Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion Sincerely, 01000100 01110010 01100001 01100111 01101111 01101110 01000110 01101111 01110010 01100011 01100101

URLs

http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion

http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion

Signatures

DragonForce
Ransomware family based on Lockbit that was first observed in November 2023.
ransomware dragonforce
Dragonforce family
dragonforce

Drops desktop.ini file(s) 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\desktop.ini	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DisableConfirm.m4a	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\HideTest.cfg	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\readme.txt	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\ExitSave.xlt	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\DVD Maker\sonicsptransform.ax	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File created	C:\Program Files\Microsoft Games\Solitaire\readme.txt	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\InstallUpdate.ex_	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SegoeChess.ttf	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\New_Skins.url	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\THANKS.txt	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Apothecary.thmx	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MML2OMML.XSL	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OCRHC.DAT	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\PopSave.cmd	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File created	C:\Program Files\DVD Maker\ja-JP\readme.txt	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\ProtectConvertTo.rar	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File created	C:\Program Files (x86)\Common Files\DESIGNER\readme.txt	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\readme.txt	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\readme.txt	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XOCR3.PSP	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Accessible.tlb	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File created	C:\Program Files\DVD Maker\de-DE\readme.txt	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DissolveNoise.png	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File created	C:\Program Files\Internet Explorer\de-DE\readme.txt	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.RuntimeUi.xml	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Pushpin.thmx	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Custom.propdesc	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\EditRevoke.docx	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\ProtectEnable.mpe	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\DVD Maker\directshowtap.ax	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File created	C:\Program Files\DVD Maker\it-IT\readme.txt	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File created	C:\Program Files (x86)\Google\Update\readme.txt	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Custom.propdesc	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File created	C:\Program Files (x86)\MSBuild\readme.txt	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\VideoLAN Website.url	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File created	C:\Program Files (x86)\Google\CrashReports\readme.txt	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEIRM.XML	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\WriteDismount.vsdx	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Common.fxh	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Apex.thmx	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\RepairGrant.svgz	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\readme.txt	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSEvents.man	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\readme.txt	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaultagent_localized.ini	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\eula.rtf	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Origin.thmx	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\CloseCopy.aiff	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File created	C:\Program Files (x86)\Common Files\readme.txt	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\readme.txt	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
File opened for modification	C:\Program Files\Java\jre7\Welcome.html	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2792	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2680	vssvc.exe
Token: SeRestorePrivilege	2680	vssvc.exe
Token: SeAuditPrivilege	2680	vssvc.exe
Token: SeCreateTokenPrivilege	784	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	784	WMIC.exe
Token: SeIncreaseQuotaPrivilege	784	WMIC.exe
Token: SeSecurityPrivilege	784	WMIC.exe
Token: SeTakeOwnershipPrivilege	784	WMIC.exe
Token: SeLoadDriverPrivilege	784	WMIC.exe
Token: SeSystemtimePrivilege	784	WMIC.exe
Token: SeBackupPrivilege	784	WMIC.exe
Token: SeRestorePrivilege	784	WMIC.exe
Token: SeShutdownPrivilege	784	WMIC.exe
Token: SeSystemEnvironmentPrivilege	784	WMIC.exe
Token: SeUndockPrivilege	784	WMIC.exe
Token: SeManageVolumePrivilege	784	WMIC.exe
Token: 31	784	WMIC.exe
Token: 32	784	WMIC.exe
Token: SeCreateTokenPrivilege	784	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	784	WMIC.exe
Token: SeIncreaseQuotaPrivilege	784	WMIC.exe
Token: SeSecurityPrivilege	784	WMIC.exe
Token: SeTakeOwnershipPrivilege	784	WMIC.exe
Token: SeLoadDriverPrivilege	784	WMIC.exe
Token: SeSystemtimePrivilege	784	WMIC.exe
Token: SeBackupPrivilege	784	WMIC.exe
Token: SeRestorePrivilege	784	WMIC.exe
Token: SeShutdownPrivilege	784	WMIC.exe
Token: SeSystemEnvironmentPrivilege	784	WMIC.exe
Token: SeUndockPrivilege	784	WMIC.exe
Token: SeManageVolumePrivilege	784	WMIC.exe
Token: 31	784	WMIC.exe
Token: 32	784	WMIC.exe
Token: SeCreateTokenPrivilege	2968	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2968	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2968	WMIC.exe
Token: SeSecurityPrivilege	2968	WMIC.exe
Token: SeTakeOwnershipPrivilege	2968	WMIC.exe
Token: SeLoadDriverPrivilege	2968	WMIC.exe
Token: SeSystemtimePrivilege	2968	WMIC.exe
Token: SeBackupPrivilege	2968	WMIC.exe
Token: SeRestorePrivilege	2968	WMIC.exe
Token: SeShutdownPrivilege	2968	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2968	WMIC.exe
Token: SeUndockPrivilege	2968	WMIC.exe
Token: SeManageVolumePrivilege	2968	WMIC.exe
Token: 31	2968	WMIC.exe
Token: 32	2968	WMIC.exe
Token: SeCreateTokenPrivilege	2968	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2968	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2968	WMIC.exe
Token: SeSecurityPrivilege	2968	WMIC.exe
Token: SeTakeOwnershipPrivilege	2968	WMIC.exe
Token: SeLoadDriverPrivilege	2968	WMIC.exe
Token: SeSystemtimePrivilege	2968	WMIC.exe
Token: SeBackupPrivilege	2968	WMIC.exe
Token: SeRestorePrivilege	2968	WMIC.exe
Token: SeShutdownPrivilege	2968	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2968	WMIC.exe
Token: SeUndockPrivilege	2968	WMIC.exe
Token: SeManageVolumePrivilege	2968	WMIC.exe
Token: 31	2968	WMIC.exe
Token: 32	2968	WMIC.exe
Token: SeCreateTokenPrivilege	2232	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 1416	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	34
PID 2932 wrote to memory of 1416	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	34
PID 2932 wrote to memory of 1416	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	34
PID 2932 wrote to memory of 1416	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	34
PID 1416 wrote to memory of 784	1416	cmd.exe	36
PID 1416 wrote to memory of 784	1416	cmd.exe	36
PID 1416 wrote to memory of 784	1416	cmd.exe	36
PID 2932 wrote to memory of 1932	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	37
PID 2932 wrote to memory of 1932	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	37
PID 2932 wrote to memory of 1932	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	37
PID 2932 wrote to memory of 1932	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	37
PID 1932 wrote to memory of 2968	1932	cmd.exe	39
PID 1932 wrote to memory of 2968	1932	cmd.exe	39
PID 1932 wrote to memory of 2968	1932	cmd.exe	39
PID 2932 wrote to memory of 1448	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	40
PID 2932 wrote to memory of 1448	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	40
PID 2932 wrote to memory of 1448	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	40
PID 2932 wrote to memory of 1448	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	40
PID 1448 wrote to memory of 2232	1448	cmd.exe	42
PID 1448 wrote to memory of 2232	1448	cmd.exe	42
PID 1448 wrote to memory of 2232	1448	cmd.exe	42
PID 2932 wrote to memory of 852	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	43
PID 2932 wrote to memory of 852	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	43
PID 2932 wrote to memory of 852	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	43
PID 2932 wrote to memory of 852	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	43
PID 852 wrote to memory of 2532	852	cmd.exe	45
PID 852 wrote to memory of 2532	852	cmd.exe	45
PID 852 wrote to memory of 2532	852	cmd.exe	45
PID 2932 wrote to memory of 2372	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	46
PID 2932 wrote to memory of 2372	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	46
PID 2932 wrote to memory of 2372	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	46
PID 2932 wrote to memory of 2372	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	46
PID 2372 wrote to memory of 2392	2372	cmd.exe	48
PID 2372 wrote to memory of 2392	2372	cmd.exe	48
PID 2372 wrote to memory of 2392	2372	cmd.exe	48
PID 2932 wrote to memory of 1488	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	49
PID 2932 wrote to memory of 1488	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	49
PID 2932 wrote to memory of 1488	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	49
PID 2932 wrote to memory of 1488	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	49
PID 1488 wrote to memory of 2956	1488	cmd.exe	51
PID 1488 wrote to memory of 2956	1488	cmd.exe	51
PID 1488 wrote to memory of 2956	1488	cmd.exe	51
PID 2932 wrote to memory of 2760	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	52
PID 2932 wrote to memory of 2760	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	52
PID 2932 wrote to memory of 2760	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	52
PID 2932 wrote to memory of 2760	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	52
PID 2760 wrote to memory of 2440	2760	cmd.exe	54
PID 2760 wrote to memory of 2440	2760	cmd.exe	54
PID 2760 wrote to memory of 2440	2760	cmd.exe	54
PID 2932 wrote to memory of 2444	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	55
PID 2932 wrote to memory of 2444	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	55
PID 2932 wrote to memory of 2444	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	55
PID 2932 wrote to memory of 2444	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	55
PID 2444 wrote to memory of 2992	2444	cmd.exe	57
PID 2444 wrote to memory of 2992	2444	cmd.exe	57
PID 2444 wrote to memory of 2992	2444	cmd.exe	57
PID 2932 wrote to memory of 264	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	58
PID 2932 wrote to memory of 264	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	58
PID 2932 wrote to memory of 264	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	58
PID 2932 wrote to memory of 264	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	58
PID 264 wrote to memory of 768	264	cmd.exe	60
PID 264 wrote to memory of 768	264	cmd.exe	60
PID 264 wrote to memory of 768	264	cmd.exe	60
PID 2932 wrote to memory of 1708	2932	d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe	61

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
"C:\Users\Admin\AppData\Local\Temp\d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2792
- C:\Users\Admin\AppData\Local\Temp\d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe
  "C:\Users\Admin\AppData\Local\Temp\d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9.exe"
  2⤵
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{096796F1-2149-464D-ACBB-03B5C167CC17}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{096796F1-2149-464D-ACBB-03B5C167CC17}'" delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:784
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F892CD27-E23E-4515-87B3-8F8F21B9D9C9}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F892CD27-E23E-4515-87B3-8F8F21B9D9C9}'" delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2968
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{32A7D592-2541-4316-9CBA-F77BBB019FC7}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1448
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{32A7D592-2541-4316-9CBA-F77BBB019FC7}'" delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2232
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4322938B-E7D8-427C-9899-D8612A7A139D}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:852
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4322938B-E7D8-427C-9899-D8612A7A139D}'" delete
      4⤵
      PID:2532
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{40688390-1826-4849-9E8B-083873315E70}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{40688390-1826-4849-9E8B-083873315E70}'" delete
      4⤵
      PID:2392
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D6A7C606-A48C-4CE7-8835-04E81D7912DF}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1488
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D6A7C606-A48C-4CE7-8835-04E81D7912DF}'" delete
      4⤵
      PID:2956
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B7D60577-15EA-4C7B-BE0B-C497017039D0}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B7D60577-15EA-4C7B-BE0B-C497017039D0}'" delete
      4⤵
      PID:2440
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BB1A373F-4301-4C27-8A7E-482A72564628}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BB1A373F-4301-4C27-8A7E-482A72564628}'" delete
      4⤵
      PID:2992
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1E5A9288-DEC5-4D8F-9600-23F03936D215}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:264
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1E5A9288-DEC5-4D8F-9600-23F03936D215}'" delete
      4⤵
      PID:768
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{823E0A24-E393-468F-B11F-85124724B858}'" delete
    3⤵
    PID:1708
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{823E0A24-E393-468F-B11F-85124724B858}'" delete
      4⤵
      PID:2088
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0A4CD207-FB7C-469F-9F7A-80D1BD4DFCFA}'" delete
    3⤵
    PID:1804
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0A4CD207-FB7C-469F-9F7A-80D1BD4DFCFA}'" delete
      4⤵
      PID:2540
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F64151A7-2488-4B24-9A4D-D03E41D3CAC7}'" delete
    3⤵
    PID:1612
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F64151A7-2488-4B24-9A4D-D03E41D3CAC7}'" delete
      4⤵
      PID:1228
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A40927C3-0F96-44E1-B89A-47B10F36A0E6}'" delete
    3⤵
    PID:2552
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A40927C3-0F96-44E1-B89A-47B10F36A0E6}'" delete
      4⤵
      PID:972
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1C5B9C0E-6DDC-430F-9959-B1C7BC19DF79}'" delete
    3⤵
    PID:1648
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1C5B9C0E-6DDC-430F-9959-B1C7BC19DF79}'" delete
      4⤵
      PID:1080
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0E322147-06DC-47C3-8F71-A37CFEE921A2}'" delete
    3⤵
    PID:772
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0E322147-06DC-47C3-8F71-A37CFEE921A2}'" delete
      4⤵
      PID:2116
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A273B3E7-11AE-4B3C-8748-31324B458734}'" delete
    3⤵
    PID:2336
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A273B3E7-11AE-4B3C-8748-31324B458734}'" delete
      4⤵
      PID:1740
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{41A049F0-5D90-4970-A62C-95EBA2C69DB2}'" delete
    3⤵
    PID:2240
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{41A049F0-5D90-4970-A62C-95EBA2C69DB2}'" delete
      4⤵
      PID:568
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8E1A70E3-B89F-4CF4-95D7-7FBA75E2544E}'" delete
    3⤵
    PID:2128
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8E1A70E3-B89F-4CF4-95D7-7FBA75E2544E}'" delete
      4⤵
      PID:1748

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\readme.txt

Filesize
1KB

MD5
5295c4aadc773b3e3e07e2659805af1e

SHA1
12dde61493a1ba56bce6828644f97bfe4b565967

SHA256
99810df1a7323f25419b373b7573141bf92e43d36c8396cea8109ab67624311d

SHA512
0a834e715aa2d0ef93a03d2b0dceef2d5b4dd79fa6094a2ac96afd22c008a06c5e92dbffdc6ac2681cd7a7e87095de303c6c03b9138daa487086259187329607

Download Submit
C:\Users\Public\log.log

Filesize
3KB

MD5
e5386594c35ca0103cc8aef725b53ba5

SHA1
2baf2c8937c73c3620a82241e6a709b476677a64

SHA256
073339ad6eadb658c9f5dfa6bf1c3a19de99b0503dcea9a1dbc85cf735a23057

SHA512
9ebf5fcd2c325db43cb17524d1525dfa4977c5d2aeb92d9bee7eac49e7bd33c6c8e67500b07e53940242285d31257b980490d75a059374978fb599a4c04efacf

Download Submit