hive | c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11

General

Target

c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
Size

808KB
MD5

7202c948aa5af1134efdfe978ec6ef60
SHA1

5dbe3713b309e6ecc208e2a6c038aeb1762340d4
SHA256

c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11
SHA512

6bde3835669ee733090a3448246fb95fa0ff4cebc7b8e000dc9e13fa68aef0cb21cc778892d163a8757a486b1a69c44759a7e9a6ca4b52ab4db937a5806def1e

Score

10^/10

hive ransomware spyware stealer

Malware Config

Signatures

Hive
A ransomware written in Golang first seen in June 2021.
ransomware hive
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops file in Drivers directory 21 IoCs

Processes:

c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\UMDF\fr-FR\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\drivers\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\drivers\UMDF\fr-FR\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\ja-JP\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\drivers\UMDF\ja-JP\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\drivers\fr-FR\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\de-DE\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\drivers\UMDF\de-DE\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\drivers\de-DE\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\drivers\etc\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\drivers\UMDF\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\drivers\en-US\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\drivers\ja-JP\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\MergeRename.tiff	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe

Drops startup file 3 IoCs

Processes:

c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.3Oagvikv-vvhYwNdgDdIr7e5YaA9mJlkJ9wRZ6Evuj4.hive	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe

Loads dropped DLL 1 IoCs

Processes:

pid process

1200
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1200

Drops desktop.ini file(s) 64 IoCs

Processes:

c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Searches\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5UO2BKNL\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\0WAF332L\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ORVXVB76\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QYENL58A\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Public\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZTH0NOOE\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8O10X0LQ\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-103686315-404690609-2047157615-1000\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\UUBNW27H\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe

Drops file in System32 directory 64 IoCs

Processes:

c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe

description	ioc	process
File created	C:\Windows\SysWOW64\cs-CZ\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\SysWOW64\slmgr\0409\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\pt-PT\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\UltimateE\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\SysWOW64\nb-NO\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnle004.inf_amd64_neutral_beb9bf23b7202bff\Amd64\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky004.inf_amd64_neutral_5db759db19acd3ae\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\DriverStore\Temp\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\de-DE\Licenses\OEM\EnterpriseN\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\ja-JP\Licenses\eval\UltimateE\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\migration\WSMT\rras\replacementmanifests\Microsoft-Windows-RasServer-MigPlugin\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-RasConnectionManager\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\Enterprise\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmnttte.inf_amd64_neutral_16d100fb6ba2e40f\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\ja-JP\Licenses\_Default\EnterpriseN\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\Dism\de-DE\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msdri.inf_amd64_neutral_86bb50f34c49ae71\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\de-DE\Licenses\OEM\HomePremiumE\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\ru-RU\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\wdi\LogFiles\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\SysWOW64\Speech\Engines\SR\en-US\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\SysWOW64\WCN\fr-FR\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hcw72b64.inf_amd64_neutral_023772237d3a4ade\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbxnda.inf_amd64_neutral_c81780c5dcabd0a0\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmdyna.inf_amd64_neutral_7e4d690d07ee94c1\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmct.inf_amd64_neutral_15bb3ed734fbbeb3\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\sysprep\fr-FR\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\UltimateN\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmbug3.inf_amd64_neutral_7617862a9cc286da\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiabr00a.inf_amd64_neutral_6033065925bcc882\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\migwiz\dlmanifests\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\ras\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\Tasks\Microsoft\Windows\Diagnosis\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\WCN\fr-FR\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\fr-FR\Licenses\eval\HomeBasicN\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Enterprise\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\de-DE\Licenses\_Default\ProfessionalN\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_neutral_aad30bdeec04ea5e\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr003.inf_amd64_neutral_dff45d1d0df04caf\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Starter\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\Setup\fr-FR\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00a.inf_amd64_neutral_d64d696193e69d7b\Amd64\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\SysWOW64\Setup\en-US\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\StarterN\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\en-US\Licenses\eval\ProfessionalE\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\spp\tokens\skus\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\StarterE\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc00b.inf_amd64_neutral_3338d41663aad5fa\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\en-US\Licenses\eval\HomeBasic\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\ja-JP\Licenses\_Default\StarterE\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\SysWOW64\sysprep\fr-FR\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgen.inf_amd64_neutral_7a967d06d569b1e4\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wialx006.inf_amd64_neutral_ae607a72b46f9cfc\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\fr-FR\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\MUI\040C\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmusrf.inf_amd64_neutral_439e7d1dcac00aca\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\de-DE\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-activedirectory-webservices\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\System32\DriverStore\FileRepository\acpipmi.inf_amd64_neutral_256ad642985694b3\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe

Drops file in Program Files directory 64 IoCs

Processes:

c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OneNoteSyncPCIntl.dll	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libpanoramix_plugin.dll.3Oagvikv-vvhYwNdgDdIr826TjjTj2JvaDqDYGW8J2s.hive	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Recife	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5EDT.3Oagvikv-vvhYwNdgDdIrxOclObDjwNxjLKlBeMIBVo.hive	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\41.png	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_right.gif	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\tipresx.dll.mui	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\dkjson.luac	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01167_.WMF	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0279644.WMF	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupiconsmask.bmp	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kiritimati.3Oagvikv-vvhYwNdgDdIr7jUGAt4LIhbI4KSqJJ1vTo.hive	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up_BIDI.png	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00221_.WMF	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MAIN.XML	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\javaws.policy.3Oagvikv-vvhYwNdgDdIr7bAr8BF3qJokVoyXmfut3s.hive	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_plain_Thumbnail.bmp	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Bangkok	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Gambier.3Oagvikv-vvhYwNdgDdIr5-t8xCXhlVJXnwEyjyQ2j8.hive	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\IPMS.ICO	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MENU.XML	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util.jar	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341653.JPG	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\picturePuzzle.js	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01006_.WMF	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\HICCUP.WAV	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewFrame.html	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\CASHREG.WAV	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\fxplugins.dll	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.core_3.5.0.v20120725-1805.jar	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sampler.xml	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Beulah.3Oagvikv-vvhYwNdgDdIr_OFmdrt2wJufZoNbsxL404.hive	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.p2.ui.overridden_5.5.0.165303.jar.3Oagvikv-vvhYwNdgDdIr8Nrmd8pzWQ0eFyDsX5x_0w.hive	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\Java\jre7\lib\currency.data.3Oagvikv-vvhYwNdgDdIr3zp3GshErg32lnFuzgVWj8.hive	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107708.WMF	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOHEV.DLL	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL081.XML	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\Java\jre7\lib\logging.properties.3Oagvikv-vvhYwNdgDdIr2KuD2FISAxRislXsVsW-AI.hive	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libgl_plugin.dll.3Oagvikv-vvhYwNdgDdIryJPaDFG9AUj7YtohMbz62I.hive	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\vlc.mo	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\cue.luac	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\librawvid_plugin.dll	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\EDGE.INF	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187847.WMF	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe.3Oagvikv-vvhYwNdgDdIryG7KLM2hPBZQekTYbfhGE4.hive	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full.png	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\JSByteCodeWin.bin	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR35B.GIF	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.ICO	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdaosp.dll	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tunis	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Galapagos	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_rest.png	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Costa_Rica.3Oagvikv-vvhYwNdgDdIr8I9xbmfUqFI0DwBKqgZagE.hive	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\AXIS.INF	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EntityDataHandler.dll	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\Hierarchy.xsl	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File opened for modification	C:\Program Files\DebugConvert.tif.3Oagvikv-vvhYwNdgDdIr1eWr6-M10RjRQewKmKEETw.hive	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe

Drops file in Windows directory 64 IoCs

Processes:

c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe

description	ioc	process
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..trolpanel.resources_31bf3856ad364e35_6.1.7600.16385_en-us_09f9bb7e854decae\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..ional-codepage-1026_31bf3856ad364e35_6.1.7600.16385_none_23b685976a7d2b22\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\x86_netfx-mscordbc_dll_b03f5f7f11d50a3a_6.1.7601.17514_none_414c2fe8825bd6cb\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\assembly\GAC_MSIL\EventViewer\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Data.Entity.Design.resources\3.5.0.0_ja_b77a5c561934e089\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..-nlsbuild.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7506cf479aa49dbb\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-u..assdriver.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3cfaadc1b77ac85e\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..epremiume.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_b181fe0d89602a94\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_lv-lv_fcebb868157f1852\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..orage-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c780bac9da7fd0c6\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.1.7601.17514_none_84ee9d077899aeab\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-deskpr.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8d0bfa965be3c584\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..oradapter.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bf9af86f3ce6a687\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-metabase.resources_31bf3856ad364e35_6.1.7600.16385_en-us_eef659347969869d\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-n..icysnapin.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e453f30ee111bf3b\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.Claims\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Compba577418#\dee98e5b0e1a766ada50708c26bad1aa\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..restore-wmiprovider_31bf3856ad364e35_6.1.7600.16385_none_13810fa5e691bcc3\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..aincompat.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_dca2400be0e2e840\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\amd64_prnin002.inf_31bf3856ad364e35_6.1.7600.16385_none_111c3e07cc8d7b83\Amd64\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-n..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_en-us_936026c77f47615a\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\x86_netfx35cdf-cdf_wf_target_files_31bf3856ad364e35_6.1.7600.16385_none_6c39a732d1f6259e\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Entity.Design\v4.0_4.0.0.0__b77a5c561934e089\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-audio-dmusic.resources_31bf3856ad364e35_6.1.7600.16385_en-us_321878ba4342f4a8\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_cb8b658d143b76f1\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sonic-tables-2th1_31bf3856ad364e35_6.1.7600.16385_none_cbb0323879635bc3\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..registrar.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a73cf61280a37681\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\en-US\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..rformance.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c47b28996eb0ff5d\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-client_31bf3856ad364e35_6.1.7600.16385_none_c80d81c947c7b794\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-p..age-codec.resources_31bf3856ad364e35_7.1.7601.16492_es-es_a26b1d8d18d179f3\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_pl-pl_014bc4890746267d\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sstext3d.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_87e53a63ef61570f\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\amd64_prnrc004.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e097159000bcadb3\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\msil_system.printing.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e83b21fdb1d14389\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-srhelper_31bf3856ad364e35_6.1.7600.16385_none_0ad949a3742e9872\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..how-other.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_aa701a1653614cc1\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.1.7600.16385_none_237ab8d1f339c9c5\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ingfolder.resources_31bf3856ad364e35_6.1.7600.16385_en-us_06cc49c063c74aec\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..component.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8152e938170f652d\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_en-us_cd970b6106ea9e70\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-a..bilitycpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0c2589ba32c35b8a\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_471ffd094ad8e0b8\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-eventviewer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_247c61a2cb1cb1a6\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-smbserver.resources_31bf3856ad364e35_6.1.7600.16385_en-us_80ddaf57f520bdf5\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\Web\Wallpaper\Windows\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0409\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\amd64_eventviewersettings.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f326e41ead956612\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-openfiles.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_77cb6dab85f427b2\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2c13cd2d39a768d8\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\amd64_wdmaudio.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e730945d85cdff3e\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..mcore-dll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2ea55e3a9c5197e0\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.Process\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Web.Entity.resources\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\inf\BITS\0407\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-userinit.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_3249cf32269f303e\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-vssadmin.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_541b3d0d923b59ba\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\amd64_mdmelsa.inf_31bf3856ad364e35_6.1.7600.16385_none_59fc54741904bc43\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\amd64_netfx-shfusion__chm_b03f5f7f11d50a3a_6.1.7600.16385_none_bf2e6c09e1c6e4c6\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-lsa-msprivs.resources_31bf3856ad364e35_6.1.7600.16385_he-il_4dd6ff2533ac82b6\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..-startere.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b9c594eaea410ebd\HOW_TO_DECRYPT.txt	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1860 1200 WerFault.exe

pid	pid_target	process	target process
1860	1200	WerFault.exe

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
824	timeout.exe
944	timeout.exe
1556	timeout.exe
1440	timeout.exe
1048	timeout.exe
564	timeout.exe
240	timeout.exe
1400	timeout.exe
564	timeout.exe
204	timeout.exe
1752	timeout.exe
1912	timeout.exe
556	timeout.exe
1464	timeout.exe
208	timeout.exe
1876	timeout.exe
432	timeout.exe
548	timeout.exe
548	timeout.exe
2004	timeout.exe
1016	timeout.exe
308	timeout.exe
1152	timeout.exe
208	timeout.exe
1256	timeout.exe
1912	timeout.exe
1636	timeout.exe
1228	timeout.exe
1940	timeout.exe
1692	timeout.exe
904	timeout.exe
984	timeout.exe
1868	timeout.exe
984	timeout.exe
2036	timeout.exe
1048	timeout.exe
1344	timeout.exe
1400	timeout.exe
308	timeout.exe
1672	timeout.exe
1936	timeout.exe
940	timeout.exe
632	timeout.exe
904	timeout.exe
1696	timeout.exe
1528	timeout.exe
952	timeout.exe
1628	timeout.exe
1044	timeout.exe
220	timeout.exe
1444	timeout.exe
1556	timeout.exe
1032	timeout.exe
1844	timeout.exe
972	timeout.exe
1984	timeout.exe
1032	timeout.exe
1336	timeout.exe
920	timeout.exe
1828	timeout.exe
688	timeout.exe
1788	timeout.exe
220	timeout.exe
272	timeout.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1384 vssadmin.exe

pid	process
1384	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exeWerFault.exe

pid	process
1392	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
1860	WerFault.exe
1860	WerFault.exe
1860	WerFault.exe
1860	WerFault.exe
1860	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1860 WerFault.exe

pid	process
1860	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vssvc.exeWerFault.exe

description	pid	process
Token: SeBackupPrivilege	828	vssvc.exe
Token: SeRestorePrivilege	828	vssvc.exe
Token: SeAuditPrivilege	828	vssvc.exe
Token: SeDebugPrivilege	1860	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.execmd.execmd.exe

description	pid	process	target process
PID 1392 wrote to memory of 832	1392	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe	cmd.exe
PID 1392 wrote to memory of 832	1392	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe	cmd.exe
PID 1392 wrote to memory of 832	1392	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe	cmd.exe
PID 1392 wrote to memory of 772	1392	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe	cmd.exe
PID 1392 wrote to memory of 772	1392	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe	cmd.exe
PID 1392 wrote to memory of 772	1392	c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe	cmd.exe
PID 832 wrote to memory of 688	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 688	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 688	832	cmd.exe	timeout.exe
PID 772 wrote to memory of 1384	772	cmd.exe	vssadmin.exe
PID 772 wrote to memory of 1384	772	cmd.exe	vssadmin.exe
PID 772 wrote to memory of 1384	772	cmd.exe	vssadmin.exe
PID 832 wrote to memory of 1400	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1400	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1400	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1608	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1608	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1608	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1064	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1064	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1064	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 824	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 824	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 824	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 308	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 308	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 308	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 668	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 668	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 668	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 2036	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 2036	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 2036	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 2008	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 2008	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 2008	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1724	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1724	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1724	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1048	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1048	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1048	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1936	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1936	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1936	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 888	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 888	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 888	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 984	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 984	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 984	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 944	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 944	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 944	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1228	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1228	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1228	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1308	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1308	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1308	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1164	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1164	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1164	832	cmd.exe	timeout.exe
PID 832 wrote to memory of 1556	832	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe
"C:\Users\Admin\AppData\Local\Temp\c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\system32\cmd.exe
cmd /c hive.bat >NUL 2>NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:688

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1400

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1608

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1064

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:824

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:308

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:668

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2036

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:2008

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1724

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1048

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1936

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:888

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:984

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:944

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1228

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1308

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1164

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1556

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1672

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1380

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1828

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1496

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1860

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1296

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1356

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1400

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1156

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1444

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1676

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1712

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:2004

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:308

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:564

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:880

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:920

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:208

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:220

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:2044

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:236

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1536

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1384

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1724

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1048

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1936

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1564

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1036

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:940

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1228

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1400

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1464

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1064

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:824

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1016

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1940

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:564

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:880

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:920

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:208

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:220

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:2008

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1376

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1536

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1668

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1692

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1724

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:892

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1552

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1936

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1564

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:984

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1256

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:940

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:548

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1928

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1152

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1440

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1748

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1296

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1776

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1228

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1608

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1444

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1876

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:824

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1584

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1556

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1164

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1016

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:308

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1984

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1032

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:880

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:216

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:224

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:208

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1312

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1844

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:972

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:952

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:616

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:236

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:2008

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1716

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1376

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1536

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1668

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1692

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1724

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:432

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1752

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1680

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:968

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1168

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:984

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1256

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:940

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:548

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:632

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1496

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1328

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:688

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:976

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1296

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1776

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1228

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1608

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1064

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:2004

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1588

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1580

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1704

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:668

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1940

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1104

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:2036

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:204

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:212

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:920

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:228

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:556

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1868

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1788

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1844

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1248

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:740

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:220

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:2024

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1528

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:272

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:156

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:232

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1536

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1668

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1692

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1724

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:432

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1752

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1680

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:968

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1168

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:984

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1316

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1828

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1320

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1928

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1152

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1440

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:904

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1748

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1000

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1696

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1776

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1228

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1952

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1628

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1064

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:824

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1584

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1556

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1164

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1016

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:308

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1912

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1984

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1032

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:880

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:216

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:224

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:208

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:336

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1336

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:972

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:952

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:220

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:2024

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1528

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:272

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:820

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1672

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1656

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1792

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1996

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1048

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1572

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1552

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1044

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1752

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1036

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:944

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1620

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1256

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:940

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:548

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:632

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1496

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1440

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:904

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1748

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1000

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1400

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1952

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1780

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1628

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1064

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2004

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1588

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1580

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1704

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1368

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1016

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:308

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1912

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1984

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1032

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:880

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:920

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:228

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1344

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:240

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1592

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1636

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:828

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:556

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1300

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1728

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1248

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:2044

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:952

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:220

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:2024

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1528

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:272

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:820

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1672

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1656

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1792

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1996

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1692

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1724

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:432

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1936

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1752

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1036

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:984

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1316

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1828

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1320

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1928

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1152

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:112

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:1644

C:\Windows\system32\timeout.exe
timeout 1
3⤵
PID:688

C:\Windows\system32\cmd.exe
cmd /c shadow.bat >NUL 2>NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1384

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1200 -s 3164
1⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1860

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-103686315-404690609-2047157615-1000\desktop.ini
MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\hive.bat
MD5
c36f749af89c81217718c3f8fcc02e56

SHA1
dddd5b6a05f291ab9379cdae722446698bc3c87b

SHA256
007deb05310d6468eef1fb22bcec86b89da5906a3e90242c5766da693114f2df

SHA512
fbf6e21d44b328b3a8e709f56bcc5b9a5aa4ef595135759160886e1b305ffdc17362404dee69b3a0a7e777e0b4143e22fc9b32c8dd144b77940834e9f444c0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\shadow.bat
MD5
df5552357692e0cba5e69f8fbf06abb6

SHA1
4714f1e6bb75a80a8faf69434726d176b70d7bd8

SHA256
d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8

SHA512
a837555a1175ab515e2b43da9e493ff0ccd4366ee59defe6770327818ca9afa6f3e39ecdf5262b69253aa9e2692283ee8cebc97d58edd42e676977c7f73d143d

Download Submit
\Program Files\Microsoft Office\Office14\VISSHE.DLL
MD5
2f4759c23abcd639ac3ca7f8fa9480ac

SHA1
9a3fece585fa01b7b941e124ead0c39c8ce9bc7c

SHA256
6d66fa59407862e0fddfcb36472fe810eb308653321ca0e374ac870f9aa8cec6

SHA512
6ab14d6a8d3e9a751d68133e734cc804de2b50a7ef223d484d0f727cdfbd00d48f6e0666c3b86a0daf9ca42c0b726f6c2a088e5bb32c993748abfea7b5904ec6

Download Submit
memory/208-97-0x0000000000000000-mapping.dmp

Download
memory/208-120-0x0000000000000000-mapping.dmp

Download
memory/220-98-0x0000000000000000-mapping.dmp

Download
memory/220-121-0x0000000000000000-mapping.dmp

Download
memory/236-100-0x0000000000000000-mapping.dmp

Download
memory/308-93-0x0000000000000000-mapping.dmp

Download
memory/308-66-0x0000000000000000-mapping.dmp

Download
memory/564-117-0x0000000000000000-mapping.dmp

Download
memory/564-94-0x0000000000000000-mapping.dmp

Download
memory/668-67-0x0000000000000000-mapping.dmp

Download
memory/688-60-0x0000000000000000-mapping.dmp

Download
memory/772-56-0x0000000000000000-mapping.dmp

Download
memory/824-65-0x0000000000000000-mapping.dmp

Download
memory/824-114-0x0000000000000000-mapping.dmp

Download
memory/832-55-0x0000000000000000-mapping.dmp

Download
memory/880-118-0x0000000000000000-mapping.dmp

Download
memory/880-95-0x0000000000000000-mapping.dmp

Download
memory/888-73-0x0000000000000000-mapping.dmp

Download
memory/920-119-0x0000000000000000-mapping.dmp

Download
memory/920-96-0x0000000000000000-mapping.dmp

Download
memory/940-108-0x0000000000000000-mapping.dmp

Download
memory/944-75-0x0000000000000000-mapping.dmp

Download
memory/984-74-0x0000000000000000-mapping.dmp

Download
memory/1016-115-0x0000000000000000-mapping.dmp

Download
memory/1036-107-0x0000000000000000-mapping.dmp

Download
memory/1048-71-0x0000000000000000-mapping.dmp

Download
memory/1048-104-0x0000000000000000-mapping.dmp

Download
memory/1064-113-0x0000000000000000-mapping.dmp

Download
memory/1064-64-0x0000000000000000-mapping.dmp

Download
memory/1156-88-0x0000000000000000-mapping.dmp

Download
memory/1164-78-0x0000000000000000-mapping.dmp

Download
memory/1228-109-0x0000000000000000-mapping.dmp

Download
memory/1228-76-0x0000000000000000-mapping.dmp

Download
memory/1296-85-0x0000000000000000-mapping.dmp

Download
memory/1308-77-0x0000000000000000-mapping.dmp

Download
memory/1356-86-0x0000000000000000-mapping.dmp

Download
memory/1380-81-0x0000000000000000-mapping.dmp

Download
memory/1384-102-0x0000000000000000-mapping.dmp

Download
memory/1384-61-0x0000000000000000-mapping.dmp

Download
memory/1400-87-0x0000000000000000-mapping.dmp

Download
memory/1400-111-0x0000000000000000-mapping.dmp

Download
memory/1400-62-0x0000000000000000-mapping.dmp

Download
memory/1444-89-0x0000000000000000-mapping.dmp

Download
memory/1464-112-0x0000000000000000-mapping.dmp

Download
memory/1496-83-0x0000000000000000-mapping.dmp

Download
memory/1536-101-0x0000000000000000-mapping.dmp

Download
memory/1556-79-0x0000000000000000-mapping.dmp

Download
memory/1564-106-0x0000000000000000-mapping.dmp

Download
memory/1608-63-0x0000000000000000-mapping.dmp

Download
memory/1672-80-0x0000000000000000-mapping.dmp

Download
memory/1676-90-0x0000000000000000-mapping.dmp

Download
memory/1712-91-0x0000000000000000-mapping.dmp

Download
memory/1724-103-0x0000000000000000-mapping.dmp

Download
memory/1724-70-0x0000000000000000-mapping.dmp

Download
memory/1828-82-0x0000000000000000-mapping.dmp

Download
memory/1860-84-0x0000000000000000-mapping.dmp

Download
memory/1860-123-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

Filesize
8KB

Download
memory/1860-124-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/1936-72-0x0000000000000000-mapping.dmp

Download
memory/1936-105-0x0000000000000000-mapping.dmp

Download
memory/1940-116-0x0000000000000000-mapping.dmp

Download
memory/2004-92-0x0000000000000000-mapping.dmp

Download
memory/2008-69-0x0000000000000000-mapping.dmp

Download
memory/2008-122-0x0000000000000000-mapping.dmp

Download
memory/2036-68-0x0000000000000000-mapping.dmp

Download
memory/2044-99-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads