hive | 83796fb61255c7604cf96f0c5aec2ac62cbdeb9154289a0340407168d4809720

Analysis

max time kernel
147s
max time network
13s
platform
windows7_x64
resource
win7v20210408
submitted
28-07-2021 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe

Score

10^/10

hive ransomware spyware stealer

Malware Config

Signatures

Hive
A ransomware written in Golang first seen in June 2021.
ransomware hive
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops file in Drivers directory 8 IoCs

Processes:

77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\BackupEdit.tiff	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\Pictures\SubmitSuspend.tiff	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe

Drops startup file 2 IoCs

Processes:

77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe

Loads dropped DLL 15 IoCs

Processes:

MsiExec.exemsiexec.exeMsiExec.exe

pid	process
960	MsiExec.exe
960	MsiExec.exe
960	MsiExec.exe
960	MsiExec.exe
1096	msiexec.exe
1096	msiexec.exe
1096	msiexec.exe
1096	msiexec.exe
960	MsiExec.exe
960	MsiExec.exe
960	MsiExec.exe
960	MsiExec.exe
1096	msiexec.exe
1096	msiexec.exe
1396	MsiExec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

Processes:

77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8HHGB03\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNHPAZTY\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X8SF34HL\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2455352368-1077083310-2879168483-1000\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\H18KNA1T\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VNYR844D\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VFDYFLB4\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\E9RC2MV6\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in System32 directory 64 IoCs

Processes:

77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe

description	ioc	process
File created	C:\Windows\SysWOW64\migration\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmntt1.inf_amd64_neutral_ecf5cff2236b273a\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\transfercable.inf_amd64_neutral_82f4c743c8996d67\amd64\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netirda.inf_amd64_neutral_93a886f96cea2847\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr008.inf_amd64_neutral_0540370b0b1e348e\Amd64\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-activedirectory-webservices\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_neutral_4616c3de1949be6d\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\replacementmanifests\Microsoft-Windows-TerminalServices-LicenseServer\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\Setup\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hpoa1so.inf_amd64_neutral_4f1a3f1015001339\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mchgr.inf_amd64_neutral_407146dba80d1566\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr006.inf_amd64_neutral_f156853def526447\Amd64\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00d.inf_amd64_neutral_ce7a0b4e23e432ad\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-DirectoryServices-ADAM-DL\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmcxpv6.inf_amd64_neutral_f62ac4bd04e653d0\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmdsi.inf_amd64_neutral_e77f438012239042\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgl009.inf_amd64_neutral_bed6224f27f5c478\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00g.inf_amd64_neutral_6f76b14b2912fa55\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\040c\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\da-DK\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\avmx64c.inf_amd64_neutral_8ebb15bf548db022\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\monitor.inf_amd64_neutral_ab477c4d805d044f\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nete1e3e.inf_amd64_neutral_f77725472d91b1d1\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Windows\SysWOW64\fi-FI\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\de-DE\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmaiwat.inf_amd64_neutral_213e93b5ced8b0fe\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgsm.inf_amd64_neutral_dd3fbd8c64c7c87d\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmod.inf_amd64_neutral_5766736c47b90fff\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep004.inf_amd64_neutral_63b22bfb6b93eaba\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netxfx64.inf_amd64_neutral_3336ecb2950fdc45\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-IE-ESC\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0416\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\Tasks\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\compositebus.inf_amd64_neutral_b9280780a8000d4b\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\crcdisk.inf_amd64_neutral_d10626d1f8b423c3\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Windows\SysWOW64\wbem\Logs\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnin002.inf_amd64_neutral_977d40799168c216\Amd64\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMESC5\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0404\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\com\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-windows-audio-mmecore-other\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_neutral_4b99fffee061ff26\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00z.inf_amd64_neutral_27f402ce616c3ebc\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-TapiSetup\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\Speech\Engines\SR\en-US\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\HomeBasicN\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-msmq-messagingcoreservice\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-windows-ndis\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-Unimodem-Config\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\SysWOW64\tr-TR\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmaiwa.inf_amd64_neutral_560c956da9bcd8f5\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netw5v64.inf_amd64_neutral_a6b778ba802632cc\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnxx002.inf_amd64_neutral_560fdd891b24f384\Amd64\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiasa002.inf_amd64_neutral_6429a42f1243419a\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe

Drops file in Program Files directory 64 IoCs

Processes:

77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-3	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar.HEjbHG7qSj5K-iP3q7G9d4aL9b0IGIAzewrO1sK4oQw.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00296_.WMF.HEjbHG7qSj5K-iP3q7G9dx_CDR_vQE1L6qGCTVPQHgY.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00601_.WMF.HEjbHG7qSj5K-iP3q7G9d1TUqGm5ZMYhj-Wq7urzXGQ.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL01565_.WMF.HEjbHG7qSj5K-iP3q7G9dwf5UrQJhhggYLFHLV99jS0.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_SelectionSubpicture.png	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIcons.jpg	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Goose_Bay.HEjbHG7qSj5K-iP3q7G9d8heUamjfCc4PqwRSnV183w.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115844.GIF.HEjbHG7qSj5K-iP3q7G9d0iv0RVx5dY1ABXjxVyzkQM.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\23.png	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt.HEjbHG7qSj5K-iP3q7G9d1GW1V1ONL1SIKzKfFb7QAY.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\ACTIVITY.CFG	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Kiritimati.HEjbHG7qSj5K-iP3q7G9dzemz8PeogVONekE7BuI3yI.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ahclient.dll.HEjbHG7qSj5K-iP3q7G9d_pLF1TjduE0V5Rj8CMFDAU.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_ja_4.4.0.v20140623020002.jar	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\17.png	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SIGN.CFG	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18239_.WMF.HEjbHG7qSj5K-iP3q7G9d-ihBbT-o9deQYxkZfa6blc.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241041.WMF	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZTOOL.ACCDE	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\cacerts	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guam	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.GIF	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Java\jre7\lib\charsets.jar.HEjbHG7qSj5K-iP3q7G9d8t6p7Vw1W9sFGDqznG5xHs.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CUP.WMF.HEjbHG7qSj5K-iP3q7G9d4yZi3NbQONpRpPK1KkQ5Aw.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Regina	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\TAB_ON.GIF.HEjbHG7qSj5K-iP3q7G9d5oUYcfW3ukvM5fq3WWZkVo.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107290.WMF	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ko.pak.HEjbHG7qSj5K-iP3q7G9d-IcUxXrsZ03fkissIDyXm8.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00917_.WMF	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\TAB_ON.GIF	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png.HEjbHG7qSj5K-iP3q7G9d_oeN9yh7CQqzCu2nEzD2SQ.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libcc_plugin.dll.HEjbHG7qSj5K-iP3q7G9d6PYIF0VyLVCM7IafO483Dg.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02398_.WMF.HEjbHG7qSj5K-iP3q7G9dz9-3Dx7b3N4Z4hrkwPzs2s.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\LOCALDV.DLL	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FORMCTL.POC	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\ZoneInfoMappings.HEjbHG7qSj5K-iP3q7G9dwbvvKDOySY7E6Wfib7yq2s.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV.HXS.HEjbHG7qSj5K-iP3q7G9dwQROsUYBqAIihBf3ZUEQjo.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10265_.GIF.HEjbHG7qSj5K-iP3q7G9d37IIO8wvnF_taAxnaX2FWY.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_h.png	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\utilityfunctions.js	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search.api.HEjbHG7qSj5K-iP3q7G9d1HqsUjDu4VShB33HlF6gmw.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\vlc.mo	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\EUROTOOL.XLAM	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_right.png	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\CASCADE.INF	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01357_.WMF	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02371_.WMF	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_mp4_plugin.dll.HEjbHG7qSj5K-iP3q7G9d9PinFaeVHoXQX5ArXb1mC4.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Tripoli	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\charsets.jar.HEjbHG7qSj5K-iP3q7G9d1rIm-4TC7picYqdLb_bJFY.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\WordpadFilter.dll	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00444_.WMF	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_ja_4.4.0.v20140623020002.jar.HEjbHG7qSj5K-iP3q7G9d1F_QL0xfKBZXys56rbuDRY.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Mozilla Firefox\lgpllibs.dll.HEjbHG7qSj5K-iP3q7G9dz7WuepDnnswsgUrWej0Qwg.hive	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOffMask.bmp	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\RSSFeeds.js	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe

Drops file in Windows directory 64 IoCs

Processes:

77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe

description	ioc	process
File created	C:\Windows\Boot\EFI\pt-PT\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_Data\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC_MSIL\PresentationFramework.Classic\3.0.0.0__31bf3856ad364e35\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Transacti#\a04be0cabc675da23c6cdd970b50e3c5\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\debug\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\inf\aspnet_state\0416\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\WPF\en-US\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC_MSIL\ehiBmlDataCarousel\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\UIAutomatio4e153cb6#\42295046050399a00e1928eeb8e37adc\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\winsxs\amd64_mdmtkr.inf_31bf3856ad364e35_6.1.7600.16385_none_ade8da810f91972b\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.InfoPath.Xml\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC_MSIL\Policy.12.0.office\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\winsxs\amd64_cxraptor_fm1216mk5_ibv64.inf_31bf3856ad364e35_6.1.7600.16385_none_6fc613b717a25720\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.FileSystem\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\security\ApplicationId\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Desktop\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\WindowsFormsIntegra#\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\Boot\EFI\cs-CZ\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Workflow.Run#\462293b97f4b8f084192a7fbae47269f\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.In#\1ea8ad2c4072a33cc9f2981dea3b8ddf\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Globalization\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.RegularExpressions\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC_64\mcstoredb\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.Resources\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Data.Services.Design\3.5.0.0__b77a5c561934e089\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\winsxs\amd64_machine.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a102031c07b6ad1d\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC_MSIL\Policy.11.0.office\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\MIGUIControls\569e273efda8306ec7e22143d5285476\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp\e2e42e6b0f65a618da8ab7235c27faf0\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\inf\RemoteAccess\0000\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\winsxs\amd64_display.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bb90e0956a02ab0\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\winsxs\amd64_iastorv.inf_31bf3856ad364e35_6.1.7601.17514_none_0d3757e79e6784d0\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.Cryptography.X509Certificates\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClients#\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.I#\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\inf\.NET CLR Networking 4.0.0.0\0006\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\inf\ESENT\0000\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\Globalization\MCT\MCT-US\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Serialization.Primitives\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualC\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Windows.Presentation\3.5.0.0__b77a5c561934e089\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\1e85062785e286cd9eae9c26d2c61f73\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\Boot\DVD\EFI\en-US\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.AddI3d71a354#\e9b555ea0ea297aaf786f05eefd6e5a9\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC_MSIL\System.AddIn\3.5.0.0__b77a5c561934e089\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\inf\ASP.NET_4.0.30319\0416\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.AppContext\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\inf\Windows Workflow Foundation 4.0.0.0\0015\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\inf\Windows Workflow Foundation 4.0.0.0\0804\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\winsxs\amd64_mdmusrk1.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_152819b000cbe224\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.InfoPath.Permission\HOW_TO_DECRYPT.txt	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
1644	timeout.exe
1592	timeout.exe
1396	timeout.exe
296	timeout.exe
1028	timeout.exe
436	timeout.exe
1584	timeout.exe
1388	timeout.exe
792	timeout.exe
520	timeout.exe
1532	timeout.exe
1844	timeout.exe
632	timeout.exe
1784	timeout.exe
1852	timeout.exe
836	timeout.exe
956	timeout.exe
672	timeout.exe
1580	timeout.exe
896	timeout.exe
1396	timeout.exe
1388	timeout.exe
1400	timeout.exe
1032	timeout.exe
1728	timeout.exe
672	timeout.exe
1400	timeout.exe
1460	timeout.exe
1100	timeout.exe
1896	timeout.exe
564	timeout.exe
1644	timeout.exe
1396	timeout.exe
1592	timeout.exe
1872	timeout.exe
1644	timeout.exe
564	timeout.exe
1536	timeout.exe
944	timeout.exe
1576	timeout.exe
1276	timeout.exe
1852	timeout.exe
1752	timeout.exe
2028	timeout.exe
1872	timeout.exe
112	timeout.exe
1884	timeout.exe
948	timeout.exe
2000	timeout.exe
792	timeout.exe
1832	timeout.exe
1192	timeout.exe
1940	timeout.exe
1080	timeout.exe
912	timeout.exe
672	timeout.exe
836	timeout.exe
1528	timeout.exe
1096	timeout.exe
1332	timeout.exe
1272	timeout.exe
764	timeout.exe
1752	timeout.exe
260	timeout.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

320 vssadmin.exe

pid	process
320	vssadmin.exe

Modifies registry class 7 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit\command	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx\IconHandler	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon	msiexec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exemsiexec.exe

pid process

1988 77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
1096 msiexec.exe
1096 msiexec.exe

pid	process
1988	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
1096	msiexec.exe
1096	msiexec.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

vssvc.exemsiexec.exe

description	pid	process
Token: SeBackupPrivilege	1632	vssvc.exe
Token: SeRestorePrivilege	1632	vssvc.exe
Token: SeAuditPrivilege	1632	vssvc.exe
Token: SeRestorePrivilege	1096	msiexec.exe
Token: SeTakeOwnershipPrivilege	1096	msiexec.exe
Token: SeSecurityPrivilege	1096	msiexec.exe
Token: SeRestorePrivilege	1096	msiexec.exe
Token: SeTakeOwnershipPrivilege	1096	msiexec.exe
Token: SeRestorePrivilege	1096	msiexec.exe
Token: SeTakeOwnershipPrivilege	1096	msiexec.exe
Token: SeRestorePrivilege	1096	msiexec.exe
Token: SeTakeOwnershipPrivilege	1096	msiexec.exe
Token: SeRestorePrivilege	1096	msiexec.exe
Token: SeTakeOwnershipPrivilege	1096	msiexec.exe
Token: SeRestorePrivilege	1096	msiexec.exe
Token: SeTakeOwnershipPrivilege	1096	msiexec.exe
Token: SeRestorePrivilege	1096	msiexec.exe
Token: SeTakeOwnershipPrivilege	1096	msiexec.exe
Token: SeRestorePrivilege	1096	msiexec.exe
Token: SeTakeOwnershipPrivilege	1096	msiexec.exe
Token: SeRestorePrivilege	1096	msiexec.exe
Token: SeTakeOwnershipPrivilege	1096	msiexec.exe
Token: SeRestorePrivilege	1096	msiexec.exe
Token: SeTakeOwnershipPrivilege	1096	msiexec.exe
Token: SeRestorePrivilege	1096	msiexec.exe
Token: SeTakeOwnershipPrivilege	1096	msiexec.exe
Token: SeRestorePrivilege	1096	msiexec.exe
Token: SeTakeOwnershipPrivilege	1096	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.execmd.execmd.exe

description	pid	process	target process
PID 1988 wrote to memory of 360	1988	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe	cmd.exe
PID 1988 wrote to memory of 360	1988	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe	cmd.exe
PID 1988 wrote to memory of 360	1988	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe	cmd.exe
PID 1988 wrote to memory of 360	1988	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe	cmd.exe
PID 1988 wrote to memory of 108	1988	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe	cmd.exe
PID 1988 wrote to memory of 108	1988	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe	cmd.exe
PID 1988 wrote to memory of 108	1988	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe	cmd.exe
PID 1988 wrote to memory of 108	1988	77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe	cmd.exe
PID 360 wrote to memory of 520	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 520	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 520	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 520	360	cmd.exe	timeout.exe
PID 108 wrote to memory of 320	108	cmd.exe	vssadmin.exe
PID 108 wrote to memory of 320	108	cmd.exe	vssadmin.exe
PID 108 wrote to memory of 320	108	cmd.exe	vssadmin.exe
PID 108 wrote to memory of 320	108	cmd.exe	vssadmin.exe
PID 360 wrote to memory of 1940	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1940	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1940	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1940	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 328	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 328	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 328	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 328	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 656	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 656	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 656	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 656	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1032	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1032	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1032	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1032	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1396	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1396	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1396	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1396	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1752	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1752	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1752	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1752	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1028	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1028	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1028	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1028	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1784	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1784	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1784	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1784	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 436	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 436	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 436	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 436	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1852	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1852	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1852	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1852	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1080	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1080	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1080	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1080	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1604	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1604	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1604	360	cmd.exe	timeout.exe
PID 360 wrote to memory of 1604	360	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe
"C:\Users\Admin\AppData\Local\Temp\77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\cmd.exe
cmd /c hive.bat >NUL 2>NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:360

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:520

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1940

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:328

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:656

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1032

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1396

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1752

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1028

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1784

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:436

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1852

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1080

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1604

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1872

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1584

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1592

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1532

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:836

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1408

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1100

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1528

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:912

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:956

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:944

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:296

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1644

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:112

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:520

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:564

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1096

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1616

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:656

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1032

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1396

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1752

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:972

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1332

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1500

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1884

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1580

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1628

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1576

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1272

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1844

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:828

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1100

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1564

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:672

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1460

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1396

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1404

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:972

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1896

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1276

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1680

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1844

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:948

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:112

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:632

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1852

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2028

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1580

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1584

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2036

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:896

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1872

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1592

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1400

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1680

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1160

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1388

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2000

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:792

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:836

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:296

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:948

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:764

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1644

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:520

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1832

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:672

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:564

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:112

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1752

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1460

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1720

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1536

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:260

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1032

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1852

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1468

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1580

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:800

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1576

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1688

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1192

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1276

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1728

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1592

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1400

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1680

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1160

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1388

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2000

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:792

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:836

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:296

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:948

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:764

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1644

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:520

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1832

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:672

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:564

C:\Windows\SysWOW64\cmd.exe
cmd /c shadow.bat >NUL 2>NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:108

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:320

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 24DC00CEB17BB2DDD9AD52718C8E2EC2
2⤵
- Loads dropped DLL
PID:960

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 865CDF519FA7BA2447C1A5A109DC866E
2⤵
- Loads dropped DLL
PID:1396

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2455352368-1077083310-2879168483-1000\desktop.ini
MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\hive.bat
MD5
3c34a87cf0107262a93c2adccde10b37

SHA1
bcf860da19191d91f015096aedf16e7492238763

SHA256
5993e915a2c1520c5f1261d4139544dd998cb7f2c4f780bbe1ff29f5e86d0560

SHA512
8c6503bf188583611b000bdb128a3146b372ddf1ba9780942dc8675ad5bc39bf6da5ef61a35fc0153d154ee74662d6b9118f57ad24b0afe0fdc95068583905a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\shadow.bat
MD5
df5552357692e0cba5e69f8fbf06abb6

SHA1
4714f1e6bb75a80a8faf69434726d176b70d7bd8

SHA256
d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8

SHA512
a837555a1175ab515e2b43da9e493ff0ccd4366ee59defe6770327818ca9afa6f3e39ecdf5262b69253aa9e2692283ee8cebc97d58edd42e676977c7f73d143d

Download Submit
C:\Windows\Installer\MSI822B.tmp
MD5
d1f5ce6b23351677e54a245f46a9f8d2

SHA1
0d5c6749401248284767f16df92b726e727718ca

SHA256
57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc

SHA512
960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

Download Submit
C:\Windows\Installer\MSI90BC.tmp
MD5
4a843a97ae51c310b573a02ffd2a0e8e

SHA1
063fa914ccb07249123c0d5f4595935487635b20

SHA256
727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

SHA512
905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

Download Submit
C:\Windows\Installer\MSI9214.tmp
MD5
4a843a97ae51c310b573a02ffd2a0e8e

SHA1
063fa914ccb07249123c0d5f4595935487635b20

SHA256
727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

SHA512
905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

Download Submit
C:\Windows\Installer\MSI980E.tmp
MD5
d1f5ce6b23351677e54a245f46a9f8d2

SHA1
0d5c6749401248284767f16df92b726e727718ca

SHA256
57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc

SHA512
960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

Download Submit
C:\Windows\Installer\MSIB2DF.tmp
MD5
85221b3bcba8dbe4b4a46581aa49f760

SHA1
746645c92594bfc739f77812d67cfd85f4b92474

SHA256
f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

SHA512
060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

Download Submit
C:\Windows\Installer\MSIB4A5.tmp
MD5
33908aa43ac0aaabc06a58d51b1c2cca

SHA1
0a0d1ce3435abe2eed635481bac69e1999031291

SHA256
4447faacefaba8f040822101e2a4103031660de9139e70ecff9aa3a89455a783

SHA512
d5216a53df9cfbe1a78629c103286eb17042f639149c46b6a1cd76498531ae82afd265462fbe0ba9baaff275fc95c66504804f107c449f3fc5833b1ed9c3da46

Download Submit
C:\Windows\Installer\MSIB5B0.tmp
MD5
4a843a97ae51c310b573a02ffd2a0e8e

SHA1
063fa914ccb07249123c0d5f4595935487635b20

SHA256
727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

SHA512
905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

Download Submit
C:\Windows\Installer\MSIB8EB.tmp
MD5
ff58cd07bf4913ef899efd2dfb112553

SHA1
f14c1681de808543071602f17a6299f8b4ba2ae8

SHA256
1afafe9157ff5670bbec8ce622f45d1ce51b3ee77b7348d3a237e232f06c5391

SHA512
23e27444b6cdc17fe56f3a80d6325c2be61ae84213bc7cdaad7bb96daa7e8d2d3defc1b96c3cee4a3f32dc464b0e05720bcf1c0e99626bf83de1b6d5aac000a3

Download Submit
\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
MD5
81e7e920312d372cf57a817049ac7c76

SHA1
0a2e953f2d8ecdf984532f2d8e3c0264fc079498

SHA256
ff9a2e7fe46937b34f8e61f58df1f6108742cce58505f212e8666cb4ab7b74f9

SHA512
76530f002a84a791f1b440c1ab57138b8813dc395027e5c02002d67e9c7a72d6e448bbc2f844fd2cfb61259c37d916a6835035bdb442b45814c1d1aab4743a52

Download Submit
\Program Files\Microsoft Office\Office14\VISSHE.DLL
MD5
2f4759c23abcd639ac3ca7f8fa9480ac

SHA1
9a3fece585fa01b7b941e124ead0c39c8ce9bc7c

SHA256
6d66fa59407862e0fddfcb36472fe810eb308653321ca0e374ac870f9aa8cec6

SHA512
6ab14d6a8d3e9a751d68133e734cc804de2b50a7ef223d484d0f727cdfbd00d48f6e0666c3b86a0daf9ca42c0b726f6c2a088e5bb32c993748abfea7b5904ec6

Download Submit
\Program Files\Microsoft Office\Office14\VISSHE.DLL
MD5
2f4759c23abcd639ac3ca7f8fa9480ac

SHA1
9a3fece585fa01b7b941e124ead0c39c8ce9bc7c

SHA256
6d66fa59407862e0fddfcb36472fe810eb308653321ca0e374ac870f9aa8cec6

SHA512
6ab14d6a8d3e9a751d68133e734cc804de2b50a7ef223d484d0f727cdfbd00d48f6e0666c3b86a0daf9ca42c0b726f6c2a088e5bb32c993748abfea7b5904ec6

Download Submit
\Program Files\Microsoft Office\Office14\VISSHE.DLL
MD5
2f4759c23abcd639ac3ca7f8fa9480ac

SHA1
9a3fece585fa01b7b941e124ead0c39c8ce9bc7c

SHA256
6d66fa59407862e0fddfcb36472fe810eb308653321ca0e374ac870f9aa8cec6

SHA512
6ab14d6a8d3e9a751d68133e734cc804de2b50a7ef223d484d0f727cdfbd00d48f6e0666c3b86a0daf9ca42c0b726f6c2a088e5bb32c993748abfea7b5904ec6

Download Submit
\Program Files\Microsoft Office\Office14\VISSHE.DLL
MD5
2f4759c23abcd639ac3ca7f8fa9480ac

SHA1
9a3fece585fa01b7b941e124ead0c39c8ce9bc7c

SHA256
6d66fa59407862e0fddfcb36472fe810eb308653321ca0e374ac870f9aa8cec6

SHA512
6ab14d6a8d3e9a751d68133e734cc804de2b50a7ef223d484d0f727cdfbd00d48f6e0666c3b86a0daf9ca42c0b726f6c2a088e5bb32c993748abfea7b5904ec6

Download Submit
\Program Files\Microsoft Office\Office14\VISSHE.DLL
MD5
2f4759c23abcd639ac3ca7f8fa9480ac

SHA1
9a3fece585fa01b7b941e124ead0c39c8ce9bc7c

SHA256
6d66fa59407862e0fddfcb36472fe810eb308653321ca0e374ac870f9aa8cec6

SHA512
6ab14d6a8d3e9a751d68133e734cc804de2b50a7ef223d484d0f727cdfbd00d48f6e0666c3b86a0daf9ca42c0b726f6c2a088e5bb32c993748abfea7b5904ec6

Download Submit
\Program Files\Microsoft Office\Office14\VISSHE.DLL
MD5
2f4759c23abcd639ac3ca7f8fa9480ac

SHA1
9a3fece585fa01b7b941e124ead0c39c8ce9bc7c

SHA256
6d66fa59407862e0fddfcb36472fe810eb308653321ca0e374ac870f9aa8cec6

SHA512
6ab14d6a8d3e9a751d68133e734cc804de2b50a7ef223d484d0f727cdfbd00d48f6e0666c3b86a0daf9ca42c0b726f6c2a088e5bb32c993748abfea7b5904ec6

Download Submit
\Windows\Installer\MSI822B.tmp
MD5
d1f5ce6b23351677e54a245f46a9f8d2

SHA1
0d5c6749401248284767f16df92b726e727718ca

SHA256
57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc

SHA512
960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

Download Submit
\Windows\Installer\MSI90BC.tmp
MD5
4a843a97ae51c310b573a02ffd2a0e8e

SHA1
063fa914ccb07249123c0d5f4595935487635b20

SHA256
727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

SHA512
905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

Download Submit
\Windows\Installer\MSI9214.tmp
MD5
4a843a97ae51c310b573a02ffd2a0e8e

SHA1
063fa914ccb07249123c0d5f4595935487635b20

SHA256
727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

SHA512
905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

Download Submit
\Windows\Installer\MSI980E.tmp
MD5
d1f5ce6b23351677e54a245f46a9f8d2

SHA1
0d5c6749401248284767f16df92b726e727718ca

SHA256
57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc

SHA512
960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

Download Submit
\Windows\Installer\MSIB2DF.tmp
MD5
85221b3bcba8dbe4b4a46581aa49f760

SHA1
746645c92594bfc739f77812d67cfd85f4b92474

SHA256
f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

SHA512
060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

Download Submit
\Windows\Installer\MSIB4A5.tmp
MD5
33908aa43ac0aaabc06a58d51b1c2cca

SHA1
0a0d1ce3435abe2eed635481bac69e1999031291

SHA256
4447faacefaba8f040822101e2a4103031660de9139e70ecff9aa3a89455a783

SHA512
d5216a53df9cfbe1a78629c103286eb17042f639149c46b6a1cd76498531ae82afd265462fbe0ba9baaff275fc95c66504804f107c449f3fc5833b1ed9c3da46

Download Submit
\Windows\Installer\MSIB5B0.tmp
MD5
4a843a97ae51c310b573a02ffd2a0e8e

SHA1
063fa914ccb07249123c0d5f4595935487635b20

SHA256
727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

SHA512
905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

Download Submit
\Windows\Installer\MSIB8EB.tmp
MD5
ff58cd07bf4913ef899efd2dfb112553

SHA1
f14c1681de808543071602f17a6299f8b4ba2ae8

SHA256
1afafe9157ff5670bbec8ce622f45d1ce51b3ee77b7348d3a237e232f06c5391

SHA512
23e27444b6cdc17fe56f3a80d6325c2be61ae84213bc7cdaad7bb96daa7e8d2d3defc1b96c3cee4a3f32dc464b0e05720bcf1c0e99626bf83de1b6d5aac000a3

Download Submit
memory/108-61-0x0000000000000000-mapping.dmp

Download
memory/112-92-0x0000000000000000-mapping.dmp

Download
memory/112-140-0x0000000000000000-mapping.dmp

Download
memory/296-90-0x0000000000000000-mapping.dmp

Download
memory/320-65-0x0000000000000000-mapping.dmp

Download
memory/328-68-0x0000000000000000-mapping.dmp

Download
memory/360-60-0x0000000000000000-mapping.dmp

Download
memory/436-75-0x0000000000000000-mapping.dmp

Download
memory/520-64-0x0000000000000000-mapping.dmp

Download
memory/520-93-0x0000000000000000-mapping.dmp

Download
memory/564-94-0x0000000000000000-mapping.dmp

Download
memory/632-146-0x0000000000000000-mapping.dmp

Download
memory/656-97-0x0000000000000000-mapping.dmp

Download
memory/656-69-0x0000000000000000-mapping.dmp

Download
memory/672-113-0x0000000000000000-mapping.dmp

Download
memory/828-110-0x0000000000000000-mapping.dmp

Download
memory/836-83-0x0000000000000000-mapping.dmp

Download
memory/912-87-0x0000000000000000-mapping.dmp

Download
memory/944-89-0x0000000000000000-mapping.dmp

Download
memory/948-138-0x0000000000000000-mapping.dmp

Download
memory/956-88-0x0000000000000000-mapping.dmp

Download
memory/960-118-0x0000000000000000-mapping.dmp

Download
memory/960-120-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/972-101-0x0000000000000000-mapping.dmp

Download
memory/972-119-0x0000000000000000-mapping.dmp

Download
memory/1028-73-0x0000000000000000-mapping.dmp

Download
memory/1032-98-0x0000000000000000-mapping.dmp

Download
memory/1032-70-0x0000000000000000-mapping.dmp

Download
memory/1080-77-0x0000000000000000-mapping.dmp

Download
memory/1096-115-0x000007FEFC391000-0x000007FEFC393000-memory.dmp

Filesize
8KB

Download
memory/1096-95-0x0000000000000000-mapping.dmp

Download
memory/1100-85-0x0000000000000000-mapping.dmp

Download
memory/1100-111-0x0000000000000000-mapping.dmp

Download
memory/1272-108-0x0000000000000000-mapping.dmp

Download
memory/1276-124-0x0000000000000000-mapping.dmp

Download
memory/1332-102-0x0000000000000000-mapping.dmp

Download
memory/1396-116-0x0000000000000000-mapping.dmp

Download
memory/1396-71-0x0000000000000000-mapping.dmp

Download
memory/1396-99-0x0000000000000000-mapping.dmp

Download
memory/1396-149-0x0000000000000000-mapping.dmp

Download
memory/1404-117-0x0000000000000000-mapping.dmp

Download
memory/1408-84-0x0000000000000000-mapping.dmp

Download
memory/1460-114-0x0000000000000000-mapping.dmp

Download
memory/1500-103-0x0000000000000000-mapping.dmp

Download
memory/1528-86-0x0000000000000000-mapping.dmp

Download
memory/1532-82-0x0000000000000000-mapping.dmp

Download
memory/1564-112-0x0000000000000000-mapping.dmp

Download
memory/1576-107-0x0000000000000000-mapping.dmp

Download
memory/1580-105-0x0000000000000000-mapping.dmp

Download
memory/1584-80-0x0000000000000000-mapping.dmp

Download
memory/1592-81-0x0000000000000000-mapping.dmp

Download
memory/1604-78-0x0000000000000000-mapping.dmp

Download
memory/1616-96-0x0000000000000000-mapping.dmp

Download
memory/1628-106-0x0000000000000000-mapping.dmp

Download
memory/1644-91-0x0000000000000000-mapping.dmp

Download
memory/1680-129-0x0000000000000000-mapping.dmp

Download
memory/1752-100-0x0000000000000000-mapping.dmp

Download
memory/1752-72-0x0000000000000000-mapping.dmp

Download
memory/1784-74-0x0000000000000000-mapping.dmp

Download
memory/1844-135-0x0000000000000000-mapping.dmp

Download
memory/1844-109-0x0000000000000000-mapping.dmp

Download
memory/1852-76-0x0000000000000000-mapping.dmp

Download
memory/1872-79-0x0000000000000000-mapping.dmp

Download
memory/1884-104-0x0000000000000000-mapping.dmp

Download
memory/1896-121-0x0000000000000000-mapping.dmp

Download
memory/1940-66-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads