hive | db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e

General

Target

db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
Size

2.5MB
MD5

6c1665d8f03efdc96991956f4d7f310d
SHA1

bbbb0836a9f0d2525539d65669d35d8e528f96d1
SHA256

db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e
SHA512

c633c67c5a8e2b5c856027475d0d0bb2075a6b2d54486e080c737d4dce7a71ffbd83acddcf60dc53854e72b91bf05e25c1e02a55fbd0b93ca66b61691d5b96b7

Score

10^/10

hive ransomware spyware stealer

Malware Config

Signatures

Hive
A ransomware written in Golang first seen in June 2021.
ransomware hive
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops startup file 2 IoCs

Processes:

db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.ASgBrAJO872OiuN2t-9oypZCSMHLXDBmXIL-7TGpTkU.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

Processes:

db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe

description	ioc	process
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-103686315-404690609-2047157615-1000\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\UUBNW27H\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NSRO2PSX\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ORVXVB76\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8O10X0LQ\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZTH0NOOE\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Public\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\0WAF332L\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5UO2BKNL\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe

Drops file in Program Files directory 64 IoCs

Processes:

db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre7\lib\charsets.jar	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Bahia_Banderas	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Mozilla Firefox\platform.ini.ASgBrAJO872OiuN2t-9oymb57akSI9csk4c3udHp6y0.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libdtv_plugin.dll.ASgBrAJO872OiuN2t-9oyuxIFPpr15AOwT6SRtrZOGU.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099148.JPG	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml.ASgBrAJO872OiuN2t-9oysBATwL-j-s7fS0fkodqs2o.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_F_COL.HXK	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\jvm.dll.ASgBrAJO872OiuN2t-9oymYLSg5wbkc-KPMiUFM_ZC0.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\VeriSign_Class_3_Code_Signing_2001-4_CA.cer	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPSLAX.DLL	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_ja_4.4.0.v20140623020002.jar	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msdadc.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WING1.WMF	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0315447.JPG	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\Client.xml	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kuching	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\com-sun-tools-visualvm-modules-startup.jar	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_display_plugin.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter.png	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\ECHO.INF	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\as80.xsl	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0314068.JPG	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer.bat	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt.ASgBrAJO872OiuN2t-9oyoc-k2KZgApyGlJpR5BYBwo.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IO.Log.Resources.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\calendar.js	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt.ASgBrAJO872OiuN2t-9oylC4xh5wxqBTPiQNiatibyI.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+10.ASgBrAJO872OiuN2t-9oyvlMMJz4XKxwOV-HLrgjAhY.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter_partly-cloudy.png	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_shmem.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_zh_4.4.0.v20140623020002.jar	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\flyout.html	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net_1.2.200.v20120807-0927.jar.ASgBrAJO872OiuN2t-9oyvGGQlQfMuJblu5ftht7LWI.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16Images.jpg	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Management.Instrumentation.Resources.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7EN.DLL	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_ta.dll.ASgBrAJO872OiuN2t-9oyj4ROlWCBWxYbrwuCCB1sGw.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libdtv_plugin.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jerusalem.ASgBrAJO872OiuN2t-9oygpt5pCmKbxiTo4GL941eWU.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pohnpei.ASgBrAJO872OiuN2t-9oygT0-ewUH5I-x-8nWCG5aEA.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Regina.ASgBrAJO872OiuN2t-9oyi_RI-_9gldWJ9bS9I7EkkE.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_right.png	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9.ASgBrAJO872OiuN2t-9oypP-LiVivn57XMZ4FkMSeVo.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0335112.WMF	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\libgestures_plugin.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterBold.ttf.ASgBrAJO872OiuN2t-9oyiKq3ErQPP1jPCrQqX4U7ww.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Tell_City.ASgBrAJO872OiuN2t-9oylg5lPN37lh4FRStN0qNRyg.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IdentityModel.Resources.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libxa_plugin.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base_4.0.200.v20141007-2301.jar.ASgBrAJO872OiuN2t-9oyuC6gqN7NoYeuRYTrrjY-AA.hive	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EntityPickerIntl.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBPQT.DPV	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02253_.WMF	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0251871.WMF	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_wasapi_plugin.dll	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0237759.WMF	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02388_.WMF	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1856 1384 WerFault.exe

pid	pid_target	process	target process
1856	1384	WerFault.exe

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
1568	timeout.exe
664	timeout.exe
876	timeout.exe
2004	timeout.exe
1460	timeout.exe
664	timeout.exe
1540	timeout.exe
1392	timeout.exe
1760	timeout.exe
368	timeout.exe
1552	timeout.exe
1916	timeout.exe
2036	timeout.exe
1144	timeout.exe
1720	timeout.exe
1800	timeout.exe
1856	timeout.exe
884	timeout.exe
1720	timeout.exe
1572	timeout.exe
744	timeout.exe
1844	timeout.exe
1568	timeout.exe
1936	timeout.exe
1540	timeout.exe
1424	timeout.exe
1996	timeout.exe
2032	timeout.exe
1924	timeout.exe
1576	timeout.exe
1740	timeout.exe
876	timeout.exe
1504	timeout.exe
1936	timeout.exe
1844	timeout.exe
552	timeout.exe
1724	timeout.exe
1576	timeout.exe
1640	timeout.exe
308	timeout.exe
1788	timeout.exe
940	timeout.exe
1200	timeout.exe
1504	timeout.exe
1324	timeout.exe
916	timeout.exe
1200	timeout.exe
1728	timeout.exe
956	timeout.exe
1472	timeout.exe
1852	timeout.exe
1544	timeout.exe
604	timeout.exe
1552	timeout.exe
540	timeout.exe
1632	timeout.exe
308	timeout.exe
1976	timeout.exe
1756	timeout.exe
1584	timeout.exe
536	timeout.exe
1132	timeout.exe
980	timeout.exe
1852	timeout.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1632 vssadmin.exe

pid	process
1632	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exeWerFault.exe

pid	process
644	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
1856	WerFault.exe
1856	WerFault.exe
1856	WerFault.exe
1856	WerFault.exe
1856	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vssvc.exeWerFault.exe

description	pid	process
Token: SeBackupPrivilege	1076	vssvc.exe
Token: SeRestorePrivilege	1076	vssvc.exe
Token: SeAuditPrivilege	1076	vssvc.exe
Token: SeDebugPrivilege	1856	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.execmd.execmd.exe

description	pid	process	target process
PID 644 wrote to memory of 1672	644	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	cmd.exe
PID 644 wrote to memory of 1672	644	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	cmd.exe
PID 644 wrote to memory of 1672	644	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	cmd.exe
PID 644 wrote to memory of 1672	644	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	cmd.exe
PID 644 wrote to memory of 1876	644	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	cmd.exe
PID 644 wrote to memory of 1876	644	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	cmd.exe
PID 644 wrote to memory of 1876	644	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	cmd.exe
PID 644 wrote to memory of 1876	644	db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe	cmd.exe
PID 1672 wrote to memory of 1700	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1700	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1700	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1700	1672	cmd.exe	timeout.exe
PID 1876 wrote to memory of 1632	1876	cmd.exe	vssadmin.exe
PID 1876 wrote to memory of 1632	1876	cmd.exe	vssadmin.exe
PID 1876 wrote to memory of 1632	1876	cmd.exe	vssadmin.exe
PID 1876 wrote to memory of 1632	1876	cmd.exe	vssadmin.exe
PID 1672 wrote to memory of 1264	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1264	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1264	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1264	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1844	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1844	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1844	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1844	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1544	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1544	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1544	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1544	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 2004	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 2004	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 2004	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 2004	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1636	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1636	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1636	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1636	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1560	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1560	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1560	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1560	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1184	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1184	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1184	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1184	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 980	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 980	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 980	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 980	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1852	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1852	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1852	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1852	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1504	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1504	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1504	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1504	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 604	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 604	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 604	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 604	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1720	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1720	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1720	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 1720	1672	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe
"C:\Users\Admin\AppData\Local\Temp\db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\cmd.exe
cmd /c hive.bat >NUL 2>NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1700

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1264

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1844

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1544

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2004

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1636

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1560

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1184

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:980

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1852

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1504

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:604

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1720

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:552

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1324

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1916

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1724

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:916

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2036

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2016

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1576

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1640

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1800

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1756

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1760

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1592

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1604

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:744

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1568

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:824

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:664

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1856

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1200

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1976

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1144

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1552

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1584

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1540

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:956

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1972

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1528

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1180

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:288

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1304

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1504

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:604

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1720

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1068

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1884

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1936

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1924

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:364

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:884

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1392

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:940

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1740

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1776

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:536

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1572

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1728

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:368

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1424

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1568

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:308

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:876

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:664

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1104

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1632

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1200

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1976

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1660

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1844

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1552

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1616

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2004

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1540

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:956

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:896

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1576

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1392

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:944

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:540

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1740

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1628

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1752

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1592

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1572

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1600

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:744

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1204

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1472

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:308

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:876

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:664

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1352

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:856

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1200

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1976

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1132

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:852

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2004

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1540

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1532

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1460

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1852

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1768

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1788

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1996

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:360

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1720

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1916

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1724

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2032

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1936

C:\Windows\SysWOW64\cmd.exe
cmd /c shadow.bat >NUL 2>NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1632

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1384 -s 2588
1⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-103686315-404690609-2047157615-1000\desktop.ini
MD5
320f976f69333db72bd49a4a9be26525

SHA1
1b2066463950602c030cb627062ecf392a641113

SHA256
b0c45da2f61d4f7acec89497ad705997afefd40a27c181ec64519c86b389837b

SHA512
6dda418b0c0794203f56b13ddb46f8ec70b67025a16b38b845a19ee106aa58a76db3420812130bb29039cac65cd4a5e8ae425a81348ceba5ba8f2014496b0ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hive.bat
MD5
1979b2676fdfa499ba90720950db76d0

SHA1
d96581fdae36e013917ab6192273956cbfdb4111

SHA256
31d13e940ec4af6ed5013faa57e162a9720d2f548292b81a8e0aed3853755031

SHA512
82eaad7d9911790d8de95b806d2c3781e7c3d62f3fd0b4c1f477d4f936647a466afbabd0df7061c6012963efa36ec1e3387e1d3e3227c7a196c875d3ca125bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\shadow.bat
MD5
df5552357692e0cba5e69f8fbf06abb6

SHA1
4714f1e6bb75a80a8faf69434726d176b70d7bd8

SHA256
d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8

SHA512
a837555a1175ab515e2b43da9e493ff0ccd4366ee59defe6770327818ca9afa6f3e39ecdf5262b69253aa9e2692283ee8cebc97d58edd42e676977c7f73d143d

Download Submit
memory/288-103-0x0000000000000000-mapping.dmp

Download
memory/364-112-0x0000000000000000-mapping.dmp

Download
memory/368-121-0x0000000000000000-mapping.dmp

Download
memory/536-118-0x0000000000000000-mapping.dmp

Download
memory/552-74-0x0000000000000000-mapping.dmp

Download
memory/604-106-0x0000000000000000-mapping.dmp

Download
memory/604-72-0x0000000000000000-mapping.dmp

Download
memory/664-91-0x0000000000000000-mapping.dmp

Download
memory/744-88-0x0000000000000000-mapping.dmp

Download
memory/824-90-0x0000000000000000-mapping.dmp

Download
memory/884-113-0x0000000000000000-mapping.dmp

Download
memory/916-78-0x0000000000000000-mapping.dmp

Download
memory/940-115-0x0000000000000000-mapping.dmp

Download
memory/956-99-0x0000000000000000-mapping.dmp

Download
memory/980-69-0x0000000000000000-mapping.dmp

Download
memory/1068-108-0x0000000000000000-mapping.dmp

Download
memory/1144-95-0x0000000000000000-mapping.dmp

Download
memory/1180-102-0x0000000000000000-mapping.dmp

Download
memory/1184-68-0x0000000000000000-mapping.dmp

Download
memory/1200-93-0x0000000000000000-mapping.dmp

Download
memory/1264-62-0x0000000000000000-mapping.dmp

Download
memory/1304-104-0x0000000000000000-mapping.dmp

Download
memory/1324-75-0x0000000000000000-mapping.dmp

Download
memory/1392-114-0x0000000000000000-mapping.dmp

Download
memory/1504-71-0x0000000000000000-mapping.dmp

Download
memory/1504-105-0x0000000000000000-mapping.dmp

Download
memory/1528-101-0x0000000000000000-mapping.dmp

Download
memory/1540-98-0x0000000000000000-mapping.dmp

Download
memory/1544-64-0x0000000000000000-mapping.dmp

Download
memory/1552-96-0x0000000000000000-mapping.dmp

Download
memory/1560-67-0x0000000000000000-mapping.dmp

Download
memory/1568-89-0x0000000000000000-mapping.dmp

Download
memory/1572-119-0x0000000000000000-mapping.dmp

Download
memory/1576-81-0x0000000000000000-mapping.dmp

Download
memory/1584-97-0x0000000000000000-mapping.dmp

Download
memory/1592-86-0x0000000000000000-mapping.dmp

Download
memory/1604-87-0x0000000000000000-mapping.dmp

Download
memory/1632-61-0x0000000000000000-mapping.dmp

Download
memory/1636-66-0x0000000000000000-mapping.dmp

Download
memory/1640-82-0x0000000000000000-mapping.dmp

Download
memory/1672-55-0x0000000000000000-mapping.dmp

Download
memory/1700-60-0x0000000000000000-mapping.dmp

Download
memory/1720-73-0x0000000000000000-mapping.dmp

Download
memory/1720-107-0x0000000000000000-mapping.dmp

Download
memory/1724-77-0x0000000000000000-mapping.dmp

Download
memory/1728-120-0x0000000000000000-mapping.dmp

Download
memory/1740-116-0x0000000000000000-mapping.dmp

Download
memory/1756-84-0x0000000000000000-mapping.dmp

Download
memory/1760-85-0x0000000000000000-mapping.dmp

Download
memory/1776-117-0x0000000000000000-mapping.dmp

Download
memory/1800-83-0x0000000000000000-mapping.dmp

Download
memory/1844-63-0x0000000000000000-mapping.dmp

Download
memory/1852-70-0x0000000000000000-mapping.dmp

Download
memory/1856-92-0x0000000000000000-mapping.dmp

Download
memory/1856-122-0x000007FEFC291000-0x000007FEFC293000-memory.dmp

Filesize
8KB

Download
memory/1856-123-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/1876-56-0x0000000000000000-mapping.dmp

Download
memory/1884-109-0x0000000000000000-mapping.dmp

Download
memory/1916-76-0x0000000000000000-mapping.dmp

Download
memory/1924-111-0x0000000000000000-mapping.dmp

Download
memory/1936-110-0x0000000000000000-mapping.dmp

Download
memory/1972-100-0x0000000000000000-mapping.dmp

Download
memory/1976-94-0x0000000000000000-mapping.dmp

Download
memory/2004-65-0x0000000000000000-mapping.dmp

Download
memory/2016-80-0x0000000000000000-mapping.dmp

Download
memory/2036-79-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads