hive | 011940fa7ad425f96cd82f7460a5d01503638573dd77da9873df7aecaf35e686

Analysis

max time kernel
151s
max time network
124s
platform
windows10_x64
resource
win10-en-20211104
submitted
16/11/2021, 15:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
Size

764KB
MD5

2f9fc82898d718f2abe99c4a6fa79e69
SHA1

9d336b8911c8ffd7cc809e31d5b53796bb0cc7bb
SHA256

88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1
SHA512

19f0879b1c54d305ab7a97a0d46ab79c103d4687fe37d5f9ef1934904eea48a1c66b1ac2de3dace6dc0d91623309287044c198cb0b3fc9f8453fbc9d1c0cae8b

Score

10^/10

hive ransomware spyware stealer

Malware Config

Signatures

Hive
A ransomware written in Golang first seen in June 2021.
ransomware hive
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops file in Drivers directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\CompressJoin.tiff	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1042495040-510797905-2613508344-1000\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Public\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Configuration\BaseRegistration\de-DE\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\000e\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\VpnClient\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\de\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\Configuration\Registration\MSFT_FileDirectoryConfiguration\ja-JP\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\Speech_OneCore\Common\en-AU\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsUpdate\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\MUI\0411\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_LogResource\en-US\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\Licenses\neutral\OEM\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\en-US\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Storage\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\XPSViewer\ja-JP\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0010\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\Volume\Professional\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAny\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\Dism\de-DE\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\fr-FR\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0404\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\ja-JP\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\DiagSvcs\de-DE\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\MUI\0409\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\config\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\es-ES\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\ja-JP\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\fr\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\ja-JP\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\de-DE\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\WindowsPackageCab\fr-FR\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TrustedPlatformModule\fr-FR\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\config\RegBack\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0006\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\Bthprops\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\config\Journal\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetQos\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\de-DE\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForSome\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\en-US\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\SessionConfig\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\Configuration\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\Configuration\Schema\MSFT_FileDirectoryConfiguration\fr-FR\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsClient\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\es-MX\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAll\ja-JP\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Examples\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\de-DE\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0013\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Professional\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Dism\en\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\ja-JP\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\DiagSvcs\en-US\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\InstallShield\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0021\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\Tasks\Microsoft\Windows\RemoteApp and Desktop Connections Update\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\GroupSet\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\pitissue.jpg	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\lc_60x42.png	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorStoreLogo.contrast-black_scale-100.png	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS.8ykYJOmJGxspJegyvQV0o7pZ3fpuokYiOx5JglU7Ews.hive	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-pl.xrm-ms.8ykYJOmJGxspJegyvQV0o7YtvusFB4NT_ntjnVIUUSI.hive	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.38e1ccbd.pri	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ppd.xrm-ms.8ykYJOmJGxspJegyvQV0oxRuj1U_KPUrGFnUEGrELls.hive	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\si\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\Lumia.ViewerPlugin\Assets\IconOpenInCinemagraph.contrast-high_scale-125.png	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\19.jpg	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\It.snippets.ps1xml	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\ui-strings.js	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXT	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Text\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-24_altform-unplated.png	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\ui-strings.js	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionWideTile.scale-200.png	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms.8ykYJOmJGxspJegyvQV0o8S1yzCH2wwuX5RrvbYzVB8.hive	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\pl_60x42.png	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-150.png	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libvpx_plugin.dll	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\id_60x42.png	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_contrast-white.png	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\redshift.ini.8ykYJOmJGxspJegyvQV0o5V_vV2gqbl1LA-eudUlEXc.hive	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ppd.xrm-ms	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-48.png	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\config.lua	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\EXPEDITN.INF.8ykYJOmJGxspJegyvQV0oyFRoEAICbs19WUVp089tzY.hive	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\inline-error-1x.png	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libexport_plugin.dll	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.annotation_1.2.0.v201401042248.jar.8ykYJOmJGxspJegyvQV0owUKEf7_DjgfXyr1MUG1NGs.hive	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler64.exe	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\tr-tr\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Luna.dll	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x86__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailWideTile.scale-400.png	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\sound.properties.8ykYJOmJGxspJegyvQV0o74_XIj5eUBOwQ--qFBzYDo.hive	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Eye.png	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.4_1.4.24201.0_x86__8wekyb3d8bbwe\AppxManifest.xml	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\mask\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ul-oob.xrm-ms.8ykYJOmJGxspJegyvQV0o1g1XPEiIIkYGgM1ZOQLr1o.hive	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll.8ykYJOmJGxspJegyvQV0o09QVGY_vr9y082a0kIVrCw.hive	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms.8ykYJOmJGxspJegyvQV0o_zxnb3DZKMcQfV2qfjDFzY.hive	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\en-gb\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\StoreRatingPromotion.dll	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\FreeCell\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\mask\13d.png	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\LargeTile.scale-200.png	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ul-oob.xrm-ms	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Tec.dll	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookMedTile.scale-100.png	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\call.png	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-phn.xrm-ms	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ul-oob.xrm-ms.8ykYJOmJGxspJegyvQV0owgZXNnGMGNISksdCfN0kyY.hive	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualC\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.InteropServices.WindowsRuntime\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.resources\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationClientsideProviders.resources\v4.0_4.0.0.0_ja_31bf3856ad364e35\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\XsdBuildTask.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\INF\MSDTC\0000\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\Fonts\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Common\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Input.Manipulations\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\InfusedApps\Applications\Microsoft.MSPaint_1.1702.28017.0_neutral_~_8wekyb3d8bbwe\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1033\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Boot\PCAT\pt-BR\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\ImmersiveControlPanel\fr-FR\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-100_8wekyb3d8bbwe\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources\v4.0_10.0.0.0_de_31bf3856ad364e35\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing.resources\v4.0_4.0.0.0_ja_b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Boot\PCAT\fr-FR\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SecurityAuditPoliciesSnapIn.resources\v4.0_10.0.0.0_ja_31bf3856ad364e35\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.OracleClient.resources\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationCore.resources\v4.0_4.0.0.0_ja_31bf3856ad364e35\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.Resources\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.WriteDiagProgress\v4.0_10.0.0.0__31bf3856ad364e35\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\InfusedApps\Applications\Microsoft.Windows.Photos_2016.511.9510.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\InfusedApps\Frameworks\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ISECommon\v4.0_3.0.0.0__31bf3856ad364e35\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\ja\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Workflow.ComponentModel\v4.0_4.0.0.0__31bf3856ad364e35\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Resources\Maps\pure\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\CustomMarshalers\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\PolicyDefinitions\fr-FR\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\AppxMetadata\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.Interop\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Help\fr-FR\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Input.Manipulations.resources\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\ISymWrapper\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Services.resources\v4.0_4.0.0.0_ja_b77a5c561934e089\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Design.resources\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\en-us\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\AddInUtil.resources\v4.0_4.0.0.0_ja_b77a5c561934e089\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.Tracing\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Controls.Ribbon.resources\v4.0_4.0.0.0_de_b77a5c561934e089\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.DSC.CoreConfProviders.Resources\v4.0_3.0.0.0_fr_31bf3856ad364e35\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\MiracastView\Assets\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\IME\ja-JP\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\ja\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\HOW_TO_DECRYPT.txt	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
644	timeout.exe
1216	timeout.exe
2708	timeout.exe
2212	timeout.exe
1524	timeout.exe
1080	timeout.exe
1368	timeout.exe
2708	timeout.exe
3112	timeout.exe
3176	timeout.exe
1456	timeout.exe
3748	timeout.exe
2340	timeout.exe
3008	timeout.exe
3136	timeout.exe
1256	timeout.exe
2052	timeout.exe
948	timeout.exe
3768	timeout.exe
1116	timeout.exe
1712	timeout.exe
3720	timeout.exe
660	timeout.exe
968	timeout.exe
2208	timeout.exe
1796	timeout.exe
2148	timeout.exe
2144	timeout.exe
896	timeout.exe
2736	timeout.exe
2884	timeout.exe
2980	timeout.exe
2940	timeout.exe
2888	timeout.exe
1520	timeout.exe
3696	timeout.exe
3608	timeout.exe
2144	timeout.exe
2884	timeout.exe
4060	timeout.exe
3696	timeout.exe
3280	timeout.exe
3544	timeout.exe
3228	timeout.exe
2460	timeout.exe
2416	timeout.exe
3508	timeout.exe
420	timeout.exe
1476	timeout.exe
1132	timeout.exe
1988	timeout.exe
1080	timeout.exe
1088	timeout.exe
1328	timeout.exe
1996	timeout.exe
1508	timeout.exe
1380	timeout.exe
3664	timeout.exe
3816	timeout.exe
1476	timeout.exe
436	timeout.exe
2128	timeout.exe
3812	timeout.exe
2336	timeout.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1224	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3028	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
3028	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	368	vssvc.exe
Token: SeRestorePrivilege	368	vssvc.exe
Token: SeAuditPrivilege	368	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2960	3028	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe	69
PID 3028 wrote to memory of 2960	3028	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe	69
PID 3028 wrote to memory of 2960	3028	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe	69
PID 3028 wrote to memory of 3108	3028	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe	70
PID 3028 wrote to memory of 3108	3028	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe	70
PID 3028 wrote to memory of 3108	3028	88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe	70
PID 2960 wrote to memory of 1568	2960	cmd.exe	74
PID 2960 wrote to memory of 1568	2960	cmd.exe	74
PID 2960 wrote to memory of 1568	2960	cmd.exe	74
PID 3108 wrote to memory of 1224	3108	cmd.exe	73
PID 3108 wrote to memory of 1224	3108	cmd.exe	73
PID 3108 wrote to memory of 1224	3108	cmd.exe	73
PID 2960 wrote to memory of 1256	2960	cmd.exe	75
PID 2960 wrote to memory of 1256	2960	cmd.exe	75
PID 2960 wrote to memory of 1256	2960	cmd.exe	75
PID 2960 wrote to memory of 704	2960	cmd.exe	77
PID 2960 wrote to memory of 704	2960	cmd.exe	77
PID 2960 wrote to memory of 704	2960	cmd.exe	77
PID 2960 wrote to memory of 660	2960	cmd.exe	78
PID 2960 wrote to memory of 660	2960	cmd.exe	78
PID 2960 wrote to memory of 660	2960	cmd.exe	78
PID 2960 wrote to memory of 3544	2960	cmd.exe	79
PID 2960 wrote to memory of 3544	2960	cmd.exe	79
PID 2960 wrote to memory of 3544	2960	cmd.exe	79
PID 2960 wrote to memory of 1080	2960	cmd.exe	80
PID 2960 wrote to memory of 1080	2960	cmd.exe	80
PID 2960 wrote to memory of 1080	2960	cmd.exe	80
PID 2960 wrote to memory of 1084	2960	cmd.exe	81
PID 2960 wrote to memory of 1084	2960	cmd.exe	81
PID 2960 wrote to memory of 1084	2960	cmd.exe	81
PID 2960 wrote to memory of 1320	2960	cmd.exe	82
PID 2960 wrote to memory of 1320	2960	cmd.exe	82
PID 2960 wrote to memory of 1320	2960	cmd.exe	82
PID 2960 wrote to memory of 2204	2960	cmd.exe	83
PID 2960 wrote to memory of 2204	2960	cmd.exe	83
PID 2960 wrote to memory of 2204	2960	cmd.exe	83
PID 2960 wrote to memory of 2736	2960	cmd.exe	84
PID 2960 wrote to memory of 2736	2960	cmd.exe	84
PID 2960 wrote to memory of 2736	2960	cmd.exe	84
PID 2960 wrote to memory of 1504	2960	cmd.exe	85
PID 2960 wrote to memory of 1504	2960	cmd.exe	85
PID 2960 wrote to memory of 1504	2960	cmd.exe	85
PID 2960 wrote to memory of 2052	2960	cmd.exe	86
PID 2960 wrote to memory of 2052	2960	cmd.exe	86
PID 2960 wrote to memory of 2052	2960	cmd.exe	86
PID 2960 wrote to memory of 1912	2960	cmd.exe	87
PID 2960 wrote to memory of 1912	2960	cmd.exe	87
PID 2960 wrote to memory of 1912	2960	cmd.exe	87
PID 2960 wrote to memory of 1864	2960	cmd.exe	88
PID 2960 wrote to memory of 1864	2960	cmd.exe	88
PID 2960 wrote to memory of 1864	2960	cmd.exe	88
PID 2960 wrote to memory of 968	2960	cmd.exe	89
PID 2960 wrote to memory of 968	2960	cmd.exe	89
PID 2960 wrote to memory of 968	2960	cmd.exe	89
PID 2960 wrote to memory of 1520	2960	cmd.exe	90
PID 2960 wrote to memory of 1520	2960	cmd.exe	90
PID 2960 wrote to memory of 1520	2960	cmd.exe	90
PID 2960 wrote to memory of 2144	2960	cmd.exe	91
PID 2960 wrote to memory of 2144	2960	cmd.exe	91
PID 2960 wrote to memory of 2144	2960	cmd.exe	91
PID 2960 wrote to memory of 2284	2960	cmd.exe	92
PID 2960 wrote to memory of 2284	2960	cmd.exe	92
PID 2960 wrote to memory of 2284	2960	cmd.exe	92
PID 2960 wrote to memory of 3260	2960	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
"C:\Users\Admin\AppData\Local\Temp\88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c hive.bat >NUL 2>NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1256
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:704
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:660
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3544
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1080
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1084
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1320
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2736
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2052
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:968
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1520
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2144
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3260
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3812
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3920
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3060
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3716
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:948
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1476
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1340
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3656
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3696
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3228
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3200
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2208
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3768
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3748
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3580
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2212
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1524
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:644
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1236
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:716
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3816
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2884
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3620
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:436
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:712
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:840
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:832
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2340
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1088
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1328
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1996
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2128
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2708
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2980
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3812
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2940
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3608
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1796
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3112
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:928
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1508
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1380
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1340
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2148
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3456
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1116
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3508
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3176
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1712
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3008
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1236
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:440
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4020
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2884
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3720
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3664
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1132
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1080
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3136
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1368
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1988
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2144
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2708
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2888
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1216
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:420
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1476
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2336
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3208
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4060
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:896
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3696
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2460
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3288
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2416
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3280
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1456
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:396
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3816
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c shadow.bat >NUL 2>NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3108
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1224

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads