hive | db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e

Resubmissions

30/11/2021, 13:37

211130-qxasbsacb8 10

30/11/2021, 13:35

211130-qvmzwafagn 10

30/11/2021, 13:31

211130-qstpmsfafq 10

Analysis

max time kernel
134s
max time network
131s
platform
windows7_x64
resource
win7-en-20211104
submitted
30/11/2021, 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
Size

2.5MB
MD5

6c1665d8f03efdc96991956f4d7f310d
SHA1

bbbb0836a9f0d2525539d65669d35d8e528f96d1
SHA256

db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e
SHA512

c633c67c5a8e2b5c856027475d0d0bb2075a6b2d54486e080c737d4dce7a71ffbd83acddcf60dc53854e72b91bf05e25c1e02a55fbd0b93ca66b61691d5b96b7

Score

10^/10

hive ransomware spyware stealer

Malware Config

Signatures

Hive
A ransomware written in Golang first seen in June 2021.
ransomware hive
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\RemoveWrite.tiff	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Pictures\SearchWatch.tiff	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.lT-7maDEWYovqGV98FM2M2HMI4ijkRBgTgTdeD_7yDg.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZTH0NOOE\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Public\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\0WAF332L\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QYENL58A\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-103686315-404690609-2047157615-1000\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\UUBNW27H\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8O10X0LQ\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5UO2BKNL\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)notConnectedStateIcon.png	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html.lT-7maDEWYovqGV98FM2M4SM9TmFEK5NRUJhkppQ-SY.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0233992.WMF	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-snaptracer.jar.lT-7maDEWYovqGV98FM2M5UvFdZmPqYQ3UZMerOr9kg.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Common Files\System\DirectDB.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-actions.jar	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider.png	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNoteNames.gpd	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\settings.css	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ts_plugin.dll.lT-7maDEWYovqGV98FM2MxLJtrIEhCoreMyIHPPKjyI.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Dawson	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.properties	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libaribcam_plugin.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02441_.WMF	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\CheckpointPush.avi.lT-7maDEWYovqGV98FM2M_VGGaTY7eQWpz-93QYUliA.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART2.BDR	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceoledb35.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Puerto_Rico.lT-7maDEWYovqGV98FM2M8BIBBYlNec-3j1eGGEDWgo.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Havana	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\THMBNAIL.PNG	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00200_.WMF	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_COL.HXT	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\profilerinterface.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE01172_.WMF	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR17F.GIF	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaBrightItalic.ttf.lT-7maDEWYovqGV98FM2M39THhwT_rAWhHBceoGc1XA.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Dawson_Creek	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\THMBNAIL.PNG	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImages.jpg	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NL7Models0011.DLL	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libaraw_plugin.dll.lT-7maDEWYovqGV98FM2M6RmsnRQaMByGb9-_Dao8ws.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\SettingsInternal.zip	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_few-showers.png	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_ro.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\BodyPaneBackground.jpg	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\tab_on.gif	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SNIPE.POC	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfontj2d.properties	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\vlc.mo	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\mpvis.dll.mui	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00095_.WMF	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.RunTime.Serialization.Resources.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jar	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_zh_CN.jar.lT-7maDEWYovqGV98FM2M45SZ2qh4IIriB8OePx8hDo.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\TAB_ON.GIF	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml.lT-7maDEWYovqGV98FM2M827dEQsbSMd_iYoQQO0Wn4.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Antigua.lT-7maDEWYovqGV98FM2M-Bbweyl4Qkem49DuoSF9HE.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\settings.html	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\settings.html	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png.lT-7maDEWYovqGV98FM2M_wDor1vj88tQSNVcSlP8XQ.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\rtf_choosefont.gif	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS_F_COL.HXK	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\settings.css	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\msinfo32.exe.mui	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core.xml	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe.lT-7maDEWYovqGV98FM2M57PUP0PjzgXpp8I3rYxTk4.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libinvert_plugin.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\kn.pak	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1556	1208	WerFault.exe	13

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
1348	timeout.exe
1656	timeout.exe
928	timeout.exe
1384	timeout.exe
240	timeout.exe
1980	timeout.exe
816	timeout.exe
1160	timeout.exe
1740	timeout.exe
1764	timeout.exe
1400	timeout.exe
1736	timeout.exe
1844	timeout.exe
916	timeout.exe
1820	timeout.exe
1560	timeout.exe
1608	timeout.exe
1740	timeout.exe
304	timeout.exe
848	timeout.exe
816	timeout.exe
1944	timeout.exe
1956	timeout.exe
304	timeout.exe
1284	timeout.exe
1012	timeout.exe
1640	timeout.exe
304	timeout.exe
1984	timeout.exe
1016	timeout.exe
240	timeout.exe
1656	timeout.exe
1820	timeout.exe
1620	timeout.exe
1984	timeout.exe
956	timeout.exe
676	timeout.exe
2016	timeout.exe
940	timeout.exe
1996	timeout.exe
548	timeout.exe
1600	timeout.exe
456	timeout.exe
1320	timeout.exe
852	timeout.exe
1448	timeout.exe
1496	timeout.exe
1268	timeout.exe
1720	timeout.exe
1448	timeout.exe
2004	timeout.exe
792	timeout.exe
676	timeout.exe
1628	timeout.exe
1844	timeout.exe
1348	timeout.exe
1352	timeout.exe
456	timeout.exe
1972	timeout.exe
992	timeout.exe
1936	timeout.exe
1844	timeout.exe
1936	timeout.exe
1576	timeout.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1656	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1408	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
1556	WerFault.exe
1556	WerFault.exe
1556	WerFault.exe
1556	WerFault.exe
1556	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	1552	vssvc.exe
Token: SeRestorePrivilege	1552	vssvc.exe
Token: SeAuditPrivilege	1552	vssvc.exe
Token: SeDebugPrivilege	1556	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 1264	1408	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	29
PID 1408 wrote to memory of 1264	1408	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	29
PID 1408 wrote to memory of 1264	1408	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	29
PID 1408 wrote to memory of 1264	1408	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	29
PID 1408 wrote to memory of 1116	1408	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	30
PID 1408 wrote to memory of 1116	1408	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	30
PID 1408 wrote to memory of 1116	1408	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	30
PID 1408 wrote to memory of 1116	1408	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	30
PID 1264 wrote to memory of 816	1264	cmd.exe	31
PID 1264 wrote to memory of 816	1264	cmd.exe	31
PID 1264 wrote to memory of 816	1264	cmd.exe	31
PID 1264 wrote to memory of 816	1264	cmd.exe	31
PID 1116 wrote to memory of 1656	1116	cmd.exe	32
PID 1116 wrote to memory of 1656	1116	cmd.exe	32
PID 1116 wrote to memory of 1656	1116	cmd.exe	32
PID 1116 wrote to memory of 1656	1116	cmd.exe	32
PID 1264 wrote to memory of 1984	1264	cmd.exe	34
PID 1264 wrote to memory of 1984	1264	cmd.exe	34
PID 1264 wrote to memory of 1984	1264	cmd.exe	34
PID 1264 wrote to memory of 1984	1264	cmd.exe	34
PID 1264 wrote to memory of 1352	1264	cmd.exe	35
PID 1264 wrote to memory of 1352	1264	cmd.exe	35
PID 1264 wrote to memory of 1352	1264	cmd.exe	35
PID 1264 wrote to memory of 1352	1264	cmd.exe	35
PID 1264 wrote to memory of 1284	1264	cmd.exe	36
PID 1264 wrote to memory of 1284	1264	cmd.exe	36
PID 1264 wrote to memory of 1284	1264	cmd.exe	36
PID 1264 wrote to memory of 1284	1264	cmd.exe	36
PID 1264 wrote to memory of 1268	1264	cmd.exe	37
PID 1264 wrote to memory of 1268	1264	cmd.exe	37
PID 1264 wrote to memory of 1268	1264	cmd.exe	37
PID 1264 wrote to memory of 1268	1264	cmd.exe	37
PID 1264 wrote to memory of 1980	1264	cmd.exe	38
PID 1264 wrote to memory of 1980	1264	cmd.exe	38
PID 1264 wrote to memory of 1980	1264	cmd.exe	38
PID 1264 wrote to memory of 1980	1264	cmd.exe	38
PID 1264 wrote to memory of 1680	1264	cmd.exe	39
PID 1264 wrote to memory of 1680	1264	cmd.exe	39
PID 1264 wrote to memory of 1680	1264	cmd.exe	39
PID 1264 wrote to memory of 1680	1264	cmd.exe	39
PID 1264 wrote to memory of 992	1264	cmd.exe	40
PID 1264 wrote to memory of 992	1264	cmd.exe	40
PID 1264 wrote to memory of 992	1264	cmd.exe	40
PID 1264 wrote to memory of 992	1264	cmd.exe	40
PID 1264 wrote to memory of 1628	1264	cmd.exe	41
PID 1264 wrote to memory of 1628	1264	cmd.exe	41
PID 1264 wrote to memory of 1628	1264	cmd.exe	41
PID 1264 wrote to memory of 1628	1264	cmd.exe	41
PID 1264 wrote to memory of 792	1264	cmd.exe	42
PID 1264 wrote to memory of 792	1264	cmd.exe	42
PID 1264 wrote to memory of 792	1264	cmd.exe	42
PID 1264 wrote to memory of 792	1264	cmd.exe	42
PID 1264 wrote to memory of 956	1264	cmd.exe	43
PID 1264 wrote to memory of 956	1264	cmd.exe	43
PID 1264 wrote to memory of 956	1264	cmd.exe	43
PID 1264 wrote to memory of 956	1264	cmd.exe	43
PID 1264 wrote to memory of 1732	1264	cmd.exe	44
PID 1264 wrote to memory of 1732	1264	cmd.exe	44
PID 1264 wrote to memory of 1732	1264	cmd.exe	44
PID 1264 wrote to memory of 1732	1264	cmd.exe	44
PID 1264 wrote to memory of 1748	1264	cmd.exe	45
PID 1264 wrote to memory of 1748	1264	cmd.exe	45
PID 1264 wrote to memory of 1748	1264	cmd.exe	45
PID 1264 wrote to memory of 1748	1264	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
"C:\Users\Admin\AppData\Local\Temp\db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c hive.bat >NUL 2>NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:816
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1984
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1352
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1284
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1268
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:992
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1628
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:792
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:956
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1740
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:576
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:972
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1460
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:548
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1844
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1016
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:880
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:984
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:940
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1160
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1764
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1720
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:456
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:304
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:924
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:748
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:676
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1656
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:960
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1348
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:828
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1640
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1292
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1820
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1400
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:976
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1260
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1936
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1996
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1736
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1012
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:928
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1956
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:852
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:916
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1844
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1448
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:304
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:240
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:748
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:676
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1384
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:816
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1984
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1348
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1284
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1980
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1820
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1972
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1560
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2016
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:992
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1400
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:388
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:792
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1260
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1944
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1936
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1740
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:928
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2004
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:888
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1844
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1620
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1600
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1576
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1496
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1448
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:456
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:304
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:240
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:912
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1316
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1608
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1320
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1656
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c shadow.bat >NUL 2>NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1656

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1208 -s 2008
1⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1556-122-0x000007FEFB6F1000-0x000007FEFB6F3000-memory.dmp

Filesize
8KB

Download
memory/1556-123-0x0000000001B90000-0x0000000001B91000-memory.dmp

Filesize
4KB

Download