hive | 83796fb61255c7604cf96f0c5aec2ac62cbdeb9154289a0340407168d4809720

Analysis

max time kernel
147s
max time network
13s
platform
windows7_x64
resource
win7v20210408
submitted
28-07-2021 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe

Score

10^/10

hive ransomware spyware stealer

Malware Config

Signatures

Hive
A ransomware written in Golang first seen in June 2021.
ransomware hive
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\BackupEdit.tiff	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\Pictures\SubmitSuspend.tiff	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe

Loads dropped DLL 15 IoCs

pid	Process
960	MsiExec.exe
960	MsiExec.exe
960	MsiExec.exe
960	MsiExec.exe
1096	msiexec.exe
1096	msiexec.exe
1096	msiexec.exe
1096	msiexec.exe
960	MsiExec.exe
960	MsiExec.exe
960	MsiExec.exe
960	MsiExec.exe
1096	msiexec.exe
1096	msiexec.exe
1396	MsiExec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8HHGB03\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNHPAZTY\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X8SF34HL\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2455352368-1077083310-2879168483-1000\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\H18KNA1T\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VNYR844D\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VFDYFLB4\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\E9RC2MV6\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\migration\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmntt1.inf_amd64_neutral_ecf5cff2236b273a\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\transfercable.inf_amd64_neutral_82f4c743c8996d67\amd64\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netirda.inf_amd64_neutral_93a886f96cea2847\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr008.inf_amd64_neutral_0540370b0b1e348e\Amd64\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-activedirectory-webservices\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_neutral_4616c3de1949be6d\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\replacementmanifests\Microsoft-Windows-TerminalServices-LicenseServer\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\Setup\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hpoa1so.inf_amd64_neutral_4f1a3f1015001339\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mchgr.inf_amd64_neutral_407146dba80d1566\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr006.inf_amd64_neutral_f156853def526447\Amd64\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00d.inf_amd64_neutral_ce7a0b4e23e432ad\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-DirectoryServices-ADAM-DL\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmcxpv6.inf_amd64_neutral_f62ac4bd04e653d0\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmdsi.inf_amd64_neutral_e77f438012239042\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgl009.inf_amd64_neutral_bed6224f27f5c478\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00g.inf_amd64_neutral_6f76b14b2912fa55\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\040c\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\da-DK\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\avmx64c.inf_amd64_neutral_8ebb15bf548db022\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\monitor.inf_amd64_neutral_ab477c4d805d044f\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nete1e3e.inf_amd64_neutral_f77725472d91b1d1\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Windows\SysWOW64\fi-FI\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\de-DE\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmaiwat.inf_amd64_neutral_213e93b5ced8b0fe\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgsm.inf_amd64_neutral_dd3fbd8c64c7c87d\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmod.inf_amd64_neutral_5766736c47b90fff\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep004.inf_amd64_neutral_63b22bfb6b93eaba\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netxfx64.inf_amd64_neutral_3336ecb2950fdc45\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-IE-ESC\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0416\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\Tasks\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\compositebus.inf_amd64_neutral_b9280780a8000d4b\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\crcdisk.inf_amd64_neutral_d10626d1f8b423c3\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Windows\SysWOW64\wbem\Logs\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnin002.inf_amd64_neutral_977d40799168c216\Amd64\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMESC5\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0404\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\com\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-windows-audio-mmecore-other\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_neutral_4b99fffee061ff26\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00z.inf_amd64_neutral_27f402ce616c3ebc\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-TapiSetup\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\Speech\Engines\SR\en-US\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\HomeBasicN\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-msmq-messagingcoreservice\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-windows-ndis\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-Unimodem-Config\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\tr-TR\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmaiwa.inf_amd64_neutral_560c956da9bcd8f5\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netw5v64.inf_amd64_neutral_a6b778ba802632cc\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnxx002.inf_amd64_neutral_560fdd891b24f384\Amd64\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiasa002.inf_amd64_neutral_6429a42f1243419a\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-3	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar.HEjbHG7qSj5K-iP3q7G9d4aL9b0IGIAzewrO1sK4oQw.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00296_.WMF.HEjbHG7qSj5K-iP3q7G9dx_CDR_vQE1L6qGCTVPQHgY.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00601_.WMF.HEjbHG7qSj5K-iP3q7G9d1TUqGm5ZMYhj-Wq7urzXGQ.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL01565_.WMF.HEjbHG7qSj5K-iP3q7G9dwf5UrQJhhggYLFHLV99jS0.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_SelectionSubpicture.png	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIcons.jpg	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Goose_Bay.HEjbHG7qSj5K-iP3q7G9d8heUamjfCc4PqwRSnV183w.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115844.GIF.HEjbHG7qSj5K-iP3q7G9d0iv0RVx5dY1ABXjxVyzkQM.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\23.png	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt.HEjbHG7qSj5K-iP3q7G9d1GW1V1ONL1SIKzKfFb7QAY.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\ACTIVITY.CFG	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Kiritimati.HEjbHG7qSj5K-iP3q7G9dzemz8PeogVONekE7BuI3yI.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ahclient.dll.HEjbHG7qSj5K-iP3q7G9d_pLF1TjduE0V5Rj8CMFDAU.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_ja_4.4.0.v20140623020002.jar	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\17.png	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SIGN.CFG	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18239_.WMF.HEjbHG7qSj5K-iP3q7G9d-ihBbT-o9deQYxkZfa6blc.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241041.WMF	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZTOOL.ACCDE	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\cacerts	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guam	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.GIF	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Java\jre7\lib\charsets.jar.HEjbHG7qSj5K-iP3q7G9d8t6p7Vw1W9sFGDqznG5xHs.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CUP.WMF.HEjbHG7qSj5K-iP3q7G9d4yZi3NbQONpRpPK1KkQ5Aw.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Regina	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\TAB_ON.GIF.HEjbHG7qSj5K-iP3q7G9d5oUYcfW3ukvM5fq3WWZkVo.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107290.WMF	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ko.pak.HEjbHG7qSj5K-iP3q7G9d-IcUxXrsZ03fkissIDyXm8.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00917_.WMF	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\TAB_ON.GIF	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png.HEjbHG7qSj5K-iP3q7G9d_oeN9yh7CQqzCu2nEzD2SQ.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libcc_plugin.dll.HEjbHG7qSj5K-iP3q7G9d6PYIF0VyLVCM7IafO483Dg.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02398_.WMF.HEjbHG7qSj5K-iP3q7G9dz9-3Dx7b3N4Z4hrkwPzs2s.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\LOCALDV.DLL	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FORMCTL.POC	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\ZoneInfoMappings.HEjbHG7qSj5K-iP3q7G9dwbvvKDOySY7E6Wfib7yq2s.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV.HXS.HEjbHG7qSj5K-iP3q7G9dwQROsUYBqAIihBf3ZUEQjo.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10265_.GIF.HEjbHG7qSj5K-iP3q7G9d37IIO8wvnF_taAxnaX2FWY.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_h.png	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\utilityfunctions.js	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search.api.HEjbHG7qSj5K-iP3q7G9d1HqsUjDu4VShB33HlF6gmw.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\vlc.mo	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\EUROTOOL.XLAM	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_right.png	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\CASCADE.INF	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01357_.WMF	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02371_.WMF	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_mp4_plugin.dll.HEjbHG7qSj5K-iP3q7G9d9PinFaeVHoXQX5ArXb1mC4.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Tripoli	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\charsets.jar.HEjbHG7qSj5K-iP3q7G9d1rIm-4TC7picYqdLb_bJFY.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\WordpadFilter.dll	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00444_.WMF	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_ja_4.4.0.v20140623020002.jar.HEjbHG7qSj5K-iP3q7G9d1F_QL0xfKBZXys56rbuDRY.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Mozilla Firefox\lgpllibs.dll.HEjbHG7qSj5K-iP3q7G9dz7WuepDnnswsgUrWej0Qwg.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOffMask.bmp	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\RSSFeeds.js	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Boot\EFI\pt-PT\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_Data\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC_MSIL\PresentationFramework.Classic\3.0.0.0__31bf3856ad364e35\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Transacti#\a04be0cabc675da23c6cdd970b50e3c5\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\debug\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\inf\aspnet_state\0416\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\WPF\en-US\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC_MSIL\ehiBmlDataCarousel\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\UIAutomatio4e153cb6#\42295046050399a00e1928eeb8e37adc\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\winsxs\amd64_mdmtkr.inf_31bf3856ad364e35_6.1.7600.16385_none_ade8da810f91972b\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.InfoPath.Xml\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC_MSIL\Policy.12.0.office\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\winsxs\amd64_cxraptor_fm1216mk5_ibv64.inf_31bf3856ad364e35_6.1.7600.16385_none_6fc613b717a25720\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.FileSystem\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\security\ApplicationId\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Desktop\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\WindowsFormsIntegra#\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\Boot\EFI\cs-CZ\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Workflow.Run#\462293b97f4b8f084192a7fbae47269f\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.In#\1ea8ad2c4072a33cc9f2981dea3b8ddf\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Globalization\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.RegularExpressions\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC_64\mcstoredb\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.Resources\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Data.Services.Design\3.5.0.0__b77a5c561934e089\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\winsxs\amd64_machine.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a102031c07b6ad1d\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC_MSIL\Policy.11.0.office\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\MIGUIControls\569e273efda8306ec7e22143d5285476\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp\e2e42e6b0f65a618da8ab7235c27faf0\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\inf\RemoteAccess\0000\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\winsxs\amd64_display.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bb90e0956a02ab0\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\winsxs\amd64_iastorv.inf_31bf3856ad364e35_6.1.7601.17514_none_0d3757e79e6784d0\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.Cryptography.X509Certificates\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClients#\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.I#\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\inf\.NET CLR Networking 4.0.0.0\0006\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\inf\ESENT\0000\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\Globalization\MCT\MCT-US\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Serialization.Primitives\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualC\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Windows.Presentation\3.5.0.0__b77a5c561934e089\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\1e85062785e286cd9eae9c26d2c61f73\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\Boot\DVD\EFI\en-US\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.AddI3d71a354#\e9b555ea0ea297aaf786f05eefd6e5a9\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC_MSIL\System.AddIn\3.5.0.0__b77a5c561934e089\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\inf\ASP.NET_4.0.30319\0416\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.AppContext\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\inf\Windows Workflow Foundation 4.0.0.0\0015\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\inf\Windows Workflow Foundation 4.0.0.0\0804\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\winsxs\amd64_mdmusrk1.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_152819b000cbe224\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.InfoPath.Permission\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
1644	timeout.exe
1592	timeout.exe
1396	timeout.exe
296	timeout.exe
1028	timeout.exe
436	timeout.exe
1584	timeout.exe
1388	timeout.exe
792	timeout.exe
520	timeout.exe
1532	timeout.exe
1844	timeout.exe
632	timeout.exe
1784	timeout.exe
1852	timeout.exe
836	timeout.exe
956	timeout.exe
672	timeout.exe
1580	timeout.exe
896	timeout.exe
1396	timeout.exe
1388	timeout.exe
1400	timeout.exe
1032	timeout.exe
1728	timeout.exe
672	timeout.exe
1400	timeout.exe
1460	timeout.exe
1100	timeout.exe
1896	timeout.exe
564	timeout.exe
1644	timeout.exe
1396	timeout.exe
1592	timeout.exe
1872	timeout.exe
1644	timeout.exe
564	timeout.exe
1536	timeout.exe
944	timeout.exe
1576	timeout.exe
1276	timeout.exe
1852	timeout.exe
1752	timeout.exe
2028	timeout.exe
1872	timeout.exe
112	timeout.exe
1884	timeout.exe
948	timeout.exe
2000	timeout.exe
792	timeout.exe
1832	timeout.exe
1192	timeout.exe
1940	timeout.exe
1080	timeout.exe
912	timeout.exe
672	timeout.exe
836	timeout.exe
1528	timeout.exe
1096	timeout.exe
1332	timeout.exe
1272	timeout.exe
764	timeout.exe
1752	timeout.exe
260	timeout.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
320	vssadmin.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit\command	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx\IconHandler	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon	msiexec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1988	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
1096	msiexec.exe
1096	msiexec.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeBackupPrivilege	1632	vssvc.exe
Token: SeRestorePrivilege	1632	vssvc.exe
Token: SeAuditPrivilege	1632	vssvc.exe
Token: SeRestorePrivilege	1096	msiexec.exe
Token: SeTakeOwnershipPrivilege	1096	msiexec.exe
Token: SeSecurityPrivilege	1096	msiexec.exe
Token: SeRestorePrivilege	1096	msiexec.exe
Token: SeTakeOwnershipPrivilege	1096	msiexec.exe
Token: SeRestorePrivilege	1096	msiexec.exe
Token: SeTakeOwnershipPrivilege	1096	msiexec.exe
Token: SeRestorePrivilege	1096	msiexec.exe
Token: SeTakeOwnershipPrivilege	1096	msiexec.exe
Token: SeRestorePrivilege	1096	msiexec.exe
Token: SeTakeOwnershipPrivilege	1096	msiexec.exe
Token: SeRestorePrivilege	1096	msiexec.exe
Token: SeTakeOwnershipPrivilege	1096	msiexec.exe
Token: SeRestorePrivilege	1096	msiexec.exe
Token: SeTakeOwnershipPrivilege	1096	msiexec.exe
Token: SeRestorePrivilege	1096	msiexec.exe
Token: SeTakeOwnershipPrivilege	1096	msiexec.exe
Token: SeRestorePrivilege	1096	msiexec.exe
Token: SeTakeOwnershipPrivilege	1096	msiexec.exe
Token: SeRestorePrivilege	1096	msiexec.exe
Token: SeTakeOwnershipPrivilege	1096	msiexec.exe
Token: SeRestorePrivilege	1096	msiexec.exe
Token: SeTakeOwnershipPrivilege	1096	msiexec.exe
Token: SeRestorePrivilege	1096	msiexec.exe
Token: SeTakeOwnershipPrivilege	1096	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 360	1988	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe	29
PID 1988 wrote to memory of 360	1988	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe	29
PID 1988 wrote to memory of 360	1988	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe	29
PID 1988 wrote to memory of 360	1988	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe	29
PID 1988 wrote to memory of 108	1988	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe	31
PID 1988 wrote to memory of 108	1988	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe	31
PID 1988 wrote to memory of 108	1988	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe	31
PID 1988 wrote to memory of 108	1988	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe	31
PID 360 wrote to memory of 520	360	cmd.exe	33
PID 360 wrote to memory of 520	360	cmd.exe	33
PID 360 wrote to memory of 520	360	cmd.exe	33
PID 360 wrote to memory of 520	360	cmd.exe	33
PID 108 wrote to memory of 320	108	cmd.exe	34
PID 108 wrote to memory of 320	108	cmd.exe	34
PID 108 wrote to memory of 320	108	cmd.exe	34
PID 108 wrote to memory of 320	108	cmd.exe	34
PID 360 wrote to memory of 1940	360	cmd.exe	36
PID 360 wrote to memory of 1940	360	cmd.exe	36
PID 360 wrote to memory of 1940	360	cmd.exe	36
PID 360 wrote to memory of 1940	360	cmd.exe	36
PID 360 wrote to memory of 328	360	cmd.exe	37
PID 360 wrote to memory of 328	360	cmd.exe	37
PID 360 wrote to memory of 328	360	cmd.exe	37
PID 360 wrote to memory of 328	360	cmd.exe	37
PID 360 wrote to memory of 656	360	cmd.exe	38
PID 360 wrote to memory of 656	360	cmd.exe	38
PID 360 wrote to memory of 656	360	cmd.exe	38
PID 360 wrote to memory of 656	360	cmd.exe	38
PID 360 wrote to memory of 1032	360	cmd.exe	39
PID 360 wrote to memory of 1032	360	cmd.exe	39
PID 360 wrote to memory of 1032	360	cmd.exe	39
PID 360 wrote to memory of 1032	360	cmd.exe	39
PID 360 wrote to memory of 1396	360	cmd.exe	40
PID 360 wrote to memory of 1396	360	cmd.exe	40
PID 360 wrote to memory of 1396	360	cmd.exe	40
PID 360 wrote to memory of 1396	360	cmd.exe	40
PID 360 wrote to memory of 1752	360	cmd.exe	41
PID 360 wrote to memory of 1752	360	cmd.exe	41
PID 360 wrote to memory of 1752	360	cmd.exe	41
PID 360 wrote to memory of 1752	360	cmd.exe	41
PID 360 wrote to memory of 1028	360	cmd.exe	42
PID 360 wrote to memory of 1028	360	cmd.exe	42
PID 360 wrote to memory of 1028	360	cmd.exe	42
PID 360 wrote to memory of 1028	360	cmd.exe	42
PID 360 wrote to memory of 1784	360	cmd.exe	43
PID 360 wrote to memory of 1784	360	cmd.exe	43
PID 360 wrote to memory of 1784	360	cmd.exe	43
PID 360 wrote to memory of 1784	360	cmd.exe	43
PID 360 wrote to memory of 436	360	cmd.exe	44
PID 360 wrote to memory of 436	360	cmd.exe	44
PID 360 wrote to memory of 436	360	cmd.exe	44
PID 360 wrote to memory of 436	360	cmd.exe	44
PID 360 wrote to memory of 1852	360	cmd.exe	45
PID 360 wrote to memory of 1852	360	cmd.exe	45
PID 360 wrote to memory of 1852	360	cmd.exe	45
PID 360 wrote to memory of 1852	360	cmd.exe	45
PID 360 wrote to memory of 1080	360	cmd.exe	46
PID 360 wrote to memory of 1080	360	cmd.exe	46
PID 360 wrote to memory of 1080	360	cmd.exe	46
PID 360 wrote to memory of 1080	360	cmd.exe	46
PID 360 wrote to memory of 1604	360	cmd.exe	47
PID 360 wrote to memory of 1604	360	cmd.exe	47
PID 360 wrote to memory of 1604	360	cmd.exe	47
PID 360 wrote to memory of 1604	360	cmd.exe	47

C:\Users\Admin\AppData\Local\Temp\77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
"C:\Users\Admin\AppData\Local\Temp\77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c hive.bat >NUL 2>NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:360
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:520
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1940
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:328
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:656
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1032
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1396
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1752
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1028
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1784
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:436
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1852
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1080
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1872
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1592
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1532
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:836
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1528
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:912
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:956
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:944
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:296
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1644
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:112
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:520
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:564
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1096
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:656
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1032
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1396
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:972
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1332
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1884
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1576
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1272
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:828
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1100
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:672
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1460
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1396
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:972
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1896
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1276
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1844
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:948
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:112
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:632
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1852
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2028
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1584
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:896
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1872
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1400
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1388
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2000
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:792
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:836
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:296
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:948
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:764
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1644
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:520
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1832
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:672
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:564
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:112
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1752
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1460
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1536
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:260
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1032
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1580
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:800
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1192
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1728
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1592
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1400
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1388
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:792
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:836
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:296
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:948
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:764
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1644
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:520
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1832
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:672
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c shadow.bat >NUL 2>NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:108
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:320

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1096
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 24DC00CEB17BB2DDD9AD52718C8E2EC2
  2⤵
  - Loads dropped DLL
  PID:960
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 865CDF519FA7BA2447C1A5A109DC866E
  2⤵
  - Loads dropped DLL
  PID:1396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/960-120-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/1096-115-0x000007FEFC391000-0x000007FEFC393000-memory.dmp

Filesize
8KB

Download