hive | af9e8f301a3677b457345921d7ee765a842eceb7df107714eaffc6193bfc6bbe

Analysis

max time kernel
246s
max time network
124s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hive.exe
Size

764KB
MD5

2f9fc82898d718f2abe99c4a6fa79e69
SHA1

9d336b8911c8ffd7cc809e31d5b53796bb0cc7bb
SHA256

88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1
SHA512

19f0879b1c54d305ab7a97a0d46ab79c103d4687fe37d5f9ef1934904eea48a1c66b1ac2de3dace6dc0d91623309287044c198cb0b3fc9f8453fbc9d1c0cae8b
SSDEEP

12288:CinNFNkY/yU97ppM4NSBG81Np2C9H4S3iDjlLtc4wCIITIQaOI6NrwacVYV+4MsT:CinN3n/y67jM4v4kCSPDjlLtbwt8IQLH

Score

10^/10

hive persistence ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\MSOCache\HOW_TO_DECRYPT.txt

Family

hive

Ransom Note

Your network has been breached and all data is encrypted. To decrypt all the data you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: EQA9oydTxwXS Password: vNtgAgb3kMFmCooANNQr Follow the guidelines below to avoid losing your data: - Do not shutdown or reboot your computers, unmount external storages. - Do not try to decrypt data using third party software. It may cause irreversible damage. - Do not fool yourself. Encryption has perfect secrecy and it's impossible to decrypt without knowing the key. - Do not modify, rename or delete *.key.hive files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to authorities. The negotiation process will be terminated immediately and the key will be erased. - Do not reject to purchase. Your sensitive data will be publicly disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

URLs

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

Signatures

Detects Go variant of Hive Ransomware 16 IoCs

Processes:

resource	yara_rule
behavioral5/memory/2928-1-0x0000000000F70000-0x00000000011D3000-memory.dmp	hive_go
behavioral5/memory/2928-2-0x0000000000F70000-0x00000000011D3000-memory.dmp	hive_go
behavioral5/memory/2928-2197-0x0000000000F70000-0x00000000011D3000-memory.dmp	hive_go
behavioral5/memory/2928-5133-0x0000000000F70000-0x00000000011D3000-memory.dmp	hive_go
behavioral5/memory/2928-7924-0x0000000000F70000-0x00000000011D3000-memory.dmp	hive_go
behavioral5/memory/2928-11493-0x0000000000F70000-0x00000000011D3000-memory.dmp	hive_go
behavioral5/memory/2928-15250-0x0000000000F70000-0x00000000011D3000-memory.dmp	hive_go
behavioral5/memory/2928-16895-0x0000000000F70000-0x00000000011D3000-memory.dmp	hive_go
behavioral5/memory/2928-17260-0x0000000000F70000-0x00000000011D3000-memory.dmp	hive_go
behavioral5/memory/2928-17261-0x0000000000F70000-0x00000000011D3000-memory.dmp	hive_go
behavioral5/memory/2928-17262-0x0000000000F70000-0x00000000011D3000-memory.dmp	hive_go
behavioral5/memory/2928-17263-0x0000000000F70000-0x00000000011D3000-memory.dmp	hive_go
behavioral5/memory/2928-17322-0x0000000000F70000-0x00000000011D3000-memory.dmp	hive_go
behavioral5/memory/2928-17338-0x0000000000F70000-0x00000000011D3000-memory.dmp	hive_go
behavioral5/memory/2928-17339-0x0000000000F70000-0x00000000011D3000-memory.dmp	hive_go
behavioral5/memory/2928-17345-0x0000000000F70000-0x00000000011D3000-memory.dmp	hive_go

Hive
A ransomware written in Golang first seen in June 2021.
ransomware hive
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Drops file in Drivers directory 28 IoCs

Processes:

hive.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\ja-JP\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\de-DE\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\es-ES\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\it-IT\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\fr-FR\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\ja-JP\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\HOW_TO_DECRYPT.txt	hive.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Active Setup\Installed Components	Explorer.EXE

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2020 cmd.exe

pid	process
2020	cmd.exe

Drops startup file 3 IoCs

Processes:

hive.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	hive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.JlkfU920apK1mOxE_Svq4IE_QdDHjC4YVuo4VSqFY3U.hive	hive.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral5/memory/2928-0-0x0000000000F70000-0x00000000011D3000-memory.dmp	upx
behavioral5/memory/2928-1-0x0000000000F70000-0x00000000011D3000-memory.dmp	upx
behavioral5/memory/2928-2-0x0000000000F70000-0x00000000011D3000-memory.dmp	upx
behavioral5/memory/2928-2197-0x0000000000F70000-0x00000000011D3000-memory.dmp	upx
behavioral5/memory/2928-5133-0x0000000000F70000-0x00000000011D3000-memory.dmp	upx
behavioral5/memory/2928-7924-0x0000000000F70000-0x00000000011D3000-memory.dmp	upx
behavioral5/memory/2928-11493-0x0000000000F70000-0x00000000011D3000-memory.dmp	upx
behavioral5/memory/2928-15250-0x0000000000F70000-0x00000000011D3000-memory.dmp	upx
behavioral5/memory/2928-16895-0x0000000000F70000-0x00000000011D3000-memory.dmp	upx
behavioral5/memory/2928-17260-0x0000000000F70000-0x00000000011D3000-memory.dmp	upx
behavioral5/memory/2928-17261-0x0000000000F70000-0x00000000011D3000-memory.dmp	upx
behavioral5/memory/2928-17262-0x0000000000F70000-0x00000000011D3000-memory.dmp	upx
behavioral5/memory/2928-17263-0x0000000000F70000-0x00000000011D3000-memory.dmp	upx
behavioral5/memory/2928-17322-0x0000000000F70000-0x00000000011D3000-memory.dmp	upx
behavioral5/memory/2928-17338-0x0000000000F70000-0x00000000011D3000-memory.dmp	upx
behavioral5/memory/2928-17339-0x0000000000F70000-0x00000000011D3000-memory.dmp	upx
behavioral5/memory/2928-17345-0x0000000000F70000-0x00000000011D3000-memory.dmp	upx

Drops desktop.ini file(s) 64 IoCs

Processes:

hive.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	hive.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	hive.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\6S505ELS\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	hive.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	hive.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	hive.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	hive.exe
File opened for modification	C:\Program Files\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	hive.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3470981204-343661084-3367201002-1000\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\3I8TNX97\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	hive.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	hive.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	hive.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	hive.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	hive.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	hive.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	hive.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	hive.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	hive.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	hive.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	hive.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	hive.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	hive.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	hive.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	Explorer.EXE
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	hive.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	hive.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	hive.exe
File opened for modification	C:\Users\Public\desktop.ini	hive.exe
File opened for modification	C:\$RECYCLE.BIN\S-1-5-21-3470981204-343661084-3367201002-1000\desktop.ini	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	hive.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KZY3GE37\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	hive.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3470981204-343661084-3367201002-1000\desktop.ini	hive.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	hive.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	hive.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	hive.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	hive.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	hive.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	hive.exe

Drops file in System32 directory 64 IoCs

Processes:

hive.exe

description	ioc	process
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0014\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky307.inf_amd64_ja-jp_e40bd14f18e8ff7d\Amd64\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\sffdisk.inf_amd64_neutral_d2425e60845d17d3\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmaiwat.inf_amd64_neutral_213e93b5ced8b0fe\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmsonyu.inf_amd64_neutral_45152a8a9362fb82\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00a.inf_amd64_neutral_a89d2c01c0f43dfd\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\Professional\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\iirsp2.inf_amd64_neutral_9ed65fe0bab06b1b\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnin002.inf_amd64_neutral_977d40799168c216\Amd64\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wpdcomp.inf_amd64_neutral_11bbf54c8508434e\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\sysprep\fr-FR\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ql2300.inf_amd64_neutral_ca8487daf77ff7cb\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rdvgwddm.inf_amd64_neutral_dd691eae66f3032d\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\Setup\ja-JP\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-WMI-Core\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\HomePremium\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\averfx2hbh826d_noaverir_x64.inf_amd64_neutral_da2ba9e8a30dad14\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\el-GR\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\Setup\en-US\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgl003.inf_amd64_neutral_4c78da9e48068043\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netb57va.inf_amd64_neutral_6264e97d4fc12211\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ts_wpdmtp.inf_amd64_neutral_daa64ca27846aa23\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\Recovery\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx004.inf_amd64_neutral_2cf95f307381e481\Amd64\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wpdfs.inf_amd64_neutral_fc4ebadff3a40ae4\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-RasServer-MigPlugin\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\Setup\it-IT\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaca00a.inf_amd64_neutral_163313056d8f34ab\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wvmic.inf_amd64_neutral_b94eb92e8150fa35\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\angel64.inf_amd64_neutral_6bed16c93db1ccf3\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\UltimateE\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\lsi_sas2.inf_amd64_neutral_e12a5c4cfbe49204\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\WCN\fr-FR\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\en\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\oobe\de-DE\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgl001.inf_amd64_neutral_9209e816461a1a73\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep304.inf_amd64_ja-jp_27c560b15d9928c0\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\WCN\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\UltimateN\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\hr-HR\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\umpass.inf_amd64_neutral_e3be362bfab667d2\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\spp\tokens\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\IME\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\IME\IMETC10\applets\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\StarterN\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\de-DE\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HomePremiumN\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-StorageMigration\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\HomePremium\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\nl-NL\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\sk-SK\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky302.inf_amd64_ja-jp_dd74fe49601b74f6\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomePremium\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomeBasicN\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\es-ES\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\Speech\Engines\HOW_TO_DECRYPT.txt	hive.exe

Drops file in Program Files directory 64 IoCs

Processes:

hive.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\System\ado\msadox.dll	hive.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\jawt_md.h.JlkfU920apK1mOxE_Svq4N1_KP5t7dUf9Mme61g323c.hive	hive.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationFramework.resources.dll	hive.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceDaYi.txt	hive.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Program Files\Java\jre7\bin\deploy.dll.JlkfU920apK1mOxE_Svq4GIosXyypII8KG8yIltZIXo.hive	hive.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\WATER.ELM	hive.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]_Svq4INnzLgfqkJUogDnaEgdqQY.hive	hive.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POSTITL.ICO	hive.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_left.gif.JlkfU920apK1mOxE_Svq4CbQTTfyQiopJbGF-xLnlGs.hive	hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_zh_4.4.0.v20140623020002.jar	hive.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm	hive.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10.JlkfU920apK1mOxE_Svq4A75ymttcHFsGY2_Wy5-n0Y.hive	hive.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE01172_.WMF.JlkfU920apK1mOxE_Svq4D45zdtUsDlwfn7IwAKK4yk.hive	hive.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLPERF.INI.JlkfU920apK1mOxE_Svq4E8yCeYQcrR8Mo6qhBpvsAA.hive	hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml.JlkfU920apK1mOxE_Svq4Jntp4sY8ZcD-l3Ph1aoUkM.hive	hive.exe
File created	C:\Program Files\Common Files\System\de-DE\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msdasc.dll	hive.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\dicjp.dll	hive.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif	hive.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WORDREP.XML.JlkfU920apK1mOxE_Svq4BZhOPyZ2FQsv6N9sSgIUDM.hive	hive.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\ECHO.INF	hive.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\background.gif	hive.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME06.CSS	hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml.JlkfU920apK1mOxE_Svq4BzUXOJ-zpg-iFTC34zLrh4.hive	hive.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui	hive.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0089945.WMF	hive.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185786.WMF	hive.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME16.CSS	hive.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02214_.GIF.JlkfU920apK1mOxE_Svq4AwIhhYMTM9jRMSWeDbdKkE.hive	hive.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePageScript.js.JlkfU920apK1mOxE_Svq4K5e69BUh_N0ydxqjlcYSHc.hive	hive.exe
File opened for modification	C:\Program Files\Mozilla Firefox\lgpllibs.dll.JlkfU920apK1mOxE_Svq4GI_9wcIkkoUdgtmYW4_Gg0.hive	hive.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe.config.JlkfU920apK1mOxE_Svq4FagH_gVRj53Ro9r0Ybx1TI.hive	hive.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrome.7z.JlkfU920apK1mOxE_Svq4B2YF1lUMzgunm1iKhnS2ys.hive	hive.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\Proof.XML.JlkfU920apK1mOxE_Svq4IETjaoLW84I1mCO3wm4qy4.hive	hive.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00453_.WMF.JlkfU920apK1mOxE_Svq4EB108lHgNYMN_lkmJXnQgU.hive	hive.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02261_.WMF.JlkfU920apK1mOxE_Svq4Lpmhq6YzFFjiNrqqOH1aj4.hive	hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\PYCC.pf	hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe.JlkfU920apK1mOxE_Svq4Ap0wgX9Q7lIVFYCJbDgiyU.hive	hive.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199469.WMF	hive.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02253_.WMF	hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\zipfs.jar	hive.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libtimecode_plugin.dll	hive.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00419_.WMF	hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guatemala.JlkfU920apK1mOxE_Svq4BzAHyvOLaszVgPxv53fjRc.hive	hive.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0158071.WMF	hive.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\SPLASH.WAV.JlkfU920apK1mOxE_Svq4D5imG89D3gqVZdohRZHEVw.hive	hive.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImagesMask.bmp.JlkfU920apK1mOxE_Svq4CJ3q1JupeJ6yGamFPGpDz0.hive	hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css	hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml	hive.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Minsk.JlkfU920apK1mOxE_Svq4F5SJc23bEZO8mkX96t0Tww.hive	hive.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui	hive.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB	hive.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_hevc_plugin.dll.JlkfU920apK1mOxE_Svq4LKacP0i_9wsxKJ5uhqCZjg.hive	hive.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS_COL.HXC	hive.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\settings.js	hive.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_down.png	hive.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01069_.WMF.JlkfU920apK1mOxE_Svq4H5eTmVl4Cl0MgAR5ieOeiQ.hive	hive.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Response.gif.JlkfU920apK1mOxE_Svq4PT5GUuZbuY7YW-1D9LcmB0.hive	hive.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7ES.LEX.JlkfU920apK1mOxE_Svq4MAfzK8kr6pywpHKOHAoZWI.hive	hive.exe

Drops file in Windows directory 64 IoCs

Processes:

hive.exe

description	ioc	process
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..olorspaceconverters_31bf3856ad364e35_6.1.7601.17514_none_c3ab12c1c499b774\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-hotstart-adm_31bf3856ad364e35_6.1.7600.16385_none_8668a37605eed793\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..sh-helper.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a99123b41e4fe847\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_es-es_612fa75af0e7bfcd\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..onal-codepage-10029_31bf3856ad364e35_6.1.7600.16385_none_24911d9729a7811b\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..p-cleanup.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fa3ac5c49589f64\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sidebar.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1edab6514de94647\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_prnbr009.inf_31bf3856ad364e35_6.1.7600.16385_none_4d88ba167403f57d\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\msil_taskscheduler_31bf3856ad364e35_6.1.7601.17514_none_170487c39d98ec89\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..er-client.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_6255594a23272fe9\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..erpriseed.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b14453eb2d255ef8\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ftp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_11f51a31013dfae4\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-feedsbs.resources_31bf3856ad364e35_8.0.7600.16385_es-es_bef4845e69104da1\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..gement-ui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_80e542cddae92c4d\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..e-defaultcasingfile_31bf3856ad364e35_6.1.7600.16385_none_da58f2b1dd9d0275\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-keyiso.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0a615764d5644890\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..rity-ntlm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0a6e2760c0b4b30d\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..itiator_service_mof_31bf3856ad364e35_6.1.7601.17514_none_0793641fcc6ca405\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_b35e5a8cb554f3c8\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9121d730a12855c4\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..cingstack.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_177ef49f6bba2c60\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_netg664.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c939ba6b85d395df\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_tpm.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e9a36d7a5d1f2712\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\it\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\0b4d4e172e8054cb61d27f5ab9e0e445\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt93d54979#\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-installer-handler_31bf3856ad364e35_6.1.7600.16385_none_3acf7ac36580942c\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..ion-netsh.resources_31bf3856ad364e35_6.1.7600.16385_en-us_26755b3cf4f83e8e\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-security-syskey_31bf3856ad364e35_6.1.7600.16385_none_74578a893f33207c\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-c..entsnapin.resources_31bf3856ad364e35_6.1.7600.16385_it-it_03c52d9d1a9d3300\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..-kerberos.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_210bd0497176814b\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..mmandline.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1d39044adb1a8277\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-firewall.resources_31bf3856ad364e35_6.1.7600.16385_en-us_82800dd4b52d6cf2\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_mdmpin.inf_31bf3856ad364e35_6.1.7600.16385_none_cd27d545ef083ea5\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..omruntime.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2bb9f14466e492e2\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..-ehchsime.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d7be85f6ac532d69\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..tion_service_iasnap_31bf3856ad364e35_6.1.7600.16385_none_d56fb2316ed57f8f\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sonic-tables-1cb2_31bf3856ad364e35_6.1.7600.16385_none_c4682ec47e0a66dc\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ecounters.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_baae395ee2a142ef\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-xpsreachviewer_31bf3856ad364e35_6.1.7600.16385_none_7b64ef799c494a30\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-eventviewer.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_231dd00976732ae3\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\assembly\GAC_MSIL\PresentationBuildTasks\3.0.0.0__31bf3856ad364e35\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..iders-msi.resources_31bf3856ad364e35_6.1.7600.16385_it-it_707bb4280d13e464\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..owfilters.kstvtuner_31bf3856ad364e35_6.1.7601.17514_none_311cd124e8340b6c\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\inf\.NET CLR Networking\0C0A\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1d64e900a235326e\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_modemcsa.inf_31bf3856ad364e35_6.1.7601.17514_none_78520ca36170c34f\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_transfercable.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1d937da73521876d\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\assembly\GAC_MSIL\SecurityAuditPoliciesSnapIn\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..ic-module.resources_31bf3856ad364e35_6.1.7600.16385_it-it_fb393f53b1512e58\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..s-package.resources_31bf3856ad364e35_6.1.7601.17514_it-it_86fa4eb7805982a0\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Win32.Primitives\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-msi-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ea94d29f5fbbedcf\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-msmpeg2enc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ce23d1c17a69de4d\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ting-separatorpages_31bf3856ad364e35_6.1.7600.16385_none_4dea3646cdc94f6e\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_tpm.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ff7b773385ed4194\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\msil_system.identitymodel.selectors.resources_b77a5c561934e089_6.1.7601.17514_it-it_18bada37833564f6\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Messaging\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-dskquota.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5cf9a5db794cb010\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..iadrm-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_54125f9cf218b8e3\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c5a8aee644d4ab13\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..utcontrol.resources_31bf3856ad364e35_6.1.7600.16385_es-es_53d18c9f8cebbcf2\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\winsxs\amd64_wcf-infocardcpl_cpl_31bf3856ad364e35_6.1.7600.16385_none_f578352b168f8a4a\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Serialization.Json\HOW_TO_DECRYPT.txt	hive.exe

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
1324	timeout.exe
320	timeout.exe
2500	timeout.exe
3024	timeout.exe
3068	timeout.exe
2956	timeout.exe
2068	timeout.exe
2360	timeout.exe
2676	timeout.exe
1608	timeout.exe
2384	timeout.exe
1848	timeout.exe
1572	timeout.exe
2844	timeout.exe
1620	timeout.exe
2808	timeout.exe
2528	timeout.exe
2284	timeout.exe
580	timeout.exe
2628	timeout.exe
2596	timeout.exe
1760	timeout.exe
1760	timeout.exe
1752	timeout.exe
860	timeout.exe
2848	timeout.exe
2952	timeout.exe
2608	timeout.exe
1208	timeout.exe
1220	timeout.exe
1848	timeout.exe
1036	timeout.exe
1836	timeout.exe
2840	timeout.exe
2764	timeout.exe
2452	timeout.exe
3064	timeout.exe
2028	timeout.exe
1476	timeout.exe
3028	timeout.exe
2804	timeout.exe
2308	timeout.exe
2220	timeout.exe
1532	timeout.exe
1236	timeout.exe
3048	timeout.exe
2800	timeout.exe
2388	timeout.exe
2484	timeout.exe
1372	timeout.exe
964	timeout.exe
860	timeout.exe
2916	timeout.exe
2940	timeout.exe
2468	timeout.exe
1524	timeout.exe
1324	timeout.exe
1244	timeout.exe
2028	timeout.exe
1752	timeout.exe
2168	timeout.exe
1476	timeout.exe
2112	timeout.exe
2496	timeout.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2600 vssadmin.exe

pid	process
2600	vssadmin.exe

Modifies registry class 5 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_Classes\Local Settings	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

hive.exe

pid process

2928 hive.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

112 Explorer.EXE

pid	process
2928	hive.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

vssvc.exeExplorer.EXEAUDIODG.EXE

description	pid	process
Token: SeBackupPrivilege	3036	vssvc.exe
Token: SeRestorePrivilege	3036	vssvc.exe
Token: SeAuditPrivilege	3036	vssvc.exe
Token: SeShutdownPrivilege	112	Explorer.EXE
Token: SeShutdownPrivilege	112	Explorer.EXE
Token: SeShutdownPrivilege	112	Explorer.EXE
Token: SeShutdownPrivilege	112	Explorer.EXE
Token: SeShutdownPrivilege	112	Explorer.EXE
Token: SeShutdownPrivilege	112	Explorer.EXE
Token: SeShutdownPrivilege	112	Explorer.EXE
Token: SeShutdownPrivilege	112	Explorer.EXE
Token: 33	2712	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2712	AUDIODG.EXE
Token: 33	2712	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2712	AUDIODG.EXE
Token: SeShutdownPrivilege	112	Explorer.EXE
Token: SeShutdownPrivilege	112	Explorer.EXE
Token: SeShutdownPrivilege	112	Explorer.EXE
Token: SeShutdownPrivilege	112	Explorer.EXE

Suspicious use of FindShellTrayWindow 41 IoCs

Processes:

Explorer.EXE

pid	process
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

Explorer.EXE

pid	process
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE
112	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

hive.execmd.execmd.exe

description	pid	process	target process
PID 2928 wrote to memory of 2020	2928	hive.exe	cmd.exe
PID 2928 wrote to memory of 2020	2928	hive.exe	cmd.exe
PID 2928 wrote to memory of 2020	2928	hive.exe	cmd.exe
PID 2928 wrote to memory of 2020	2928	hive.exe	cmd.exe
PID 2928 wrote to memory of 2660	2928	hive.exe	cmd.exe
PID 2928 wrote to memory of 2660	2928	hive.exe	cmd.exe
PID 2928 wrote to memory of 2660	2928	hive.exe	cmd.exe
PID 2928 wrote to memory of 2660	2928	hive.exe	cmd.exe
PID 2020 wrote to memory of 2580	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 2580	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 2580	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 2580	2020	cmd.exe	timeout.exe
PID 2660 wrote to memory of 2600	2660	cmd.exe	vssadmin.exe
PID 2660 wrote to memory of 2600	2660	cmd.exe	vssadmin.exe
PID 2660 wrote to memory of 2600	2660	cmd.exe	vssadmin.exe
PID 2660 wrote to memory of 2600	2660	cmd.exe	vssadmin.exe
PID 2020 wrote to memory of 1476	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 1476	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 1476	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 1476	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 2104	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 2104	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 2104	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 2104	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 560	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 560	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 560	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 560	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 1752	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 1752	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 1752	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 1752	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 2284	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 2284	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 2284	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 2284	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 1944	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 1944	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 1944	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 1944	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 1532	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 1532	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 1532	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 1532	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 860	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 860	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 860	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 860	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 1244	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 1244	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 1244	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 1244	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 580	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 580	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 580	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 580	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 1608	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 1608	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 1608	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 1608	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 2468	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 2468	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 2468	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 2468	2020	cmd.exe	timeout.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\hive.exe
"C:\Users\Admin\AppData\Local\Temp\hive.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\SysWOW64\cmd.exe
cmd /c hive.bat >NUL 2>NUL
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2580

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1476

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2104

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:560

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1752

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2284

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1944

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1532

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:860

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1244

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:580

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1608

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2468

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2628

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1564

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1208

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2112

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3024

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1236

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2784

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1324

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2228

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2840

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1876

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:380

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1236

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1788

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2168

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1324

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2384

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1524

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2764

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2596

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2508

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3048

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1760

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2416

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2288

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1476

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2580

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2608

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2988

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2552

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2956

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2124

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1324

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1176

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1752

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2684

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2288

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2744

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1848

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2844

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2276

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:860

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2588

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1036

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2068

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2484

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1620

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2308

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2820

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2028

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2692

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2688

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2256

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2352

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3004

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2740

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2764

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:908

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2360

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2452

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2916

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1628

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1572

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2800

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1832

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1220

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2816

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2848

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2532

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2808

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1068

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3024

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3028

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1472

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2388

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1204

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2868

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1808

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3064

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2676

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1072

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1776

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2008

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2844

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2484

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1564

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2952

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:320

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2940

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1372

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2060

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2608

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1836

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2496

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1620

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2620

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2220

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1096

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2172

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:964

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3068

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2500

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1988

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2528

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2592

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:860

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1608

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1848

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1320

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1612

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1764

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3016

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2068

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1760

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2820

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2164

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1544

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2028

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2692

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2804

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2552

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2892

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1532

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1956

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
cmd /c shadow.bat >NUL 2>NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2600

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Windows\Explorer.EXE
"C:\Windows\Explorer.EXE"
1⤵
- Modifies Installed Components in the registry
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:112

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x534
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2712

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3470981204-343661084-3367201002-1000\desktop.ini
Filesize
129B

MD5
aabd4f7adf80deddd4f8d782731b2aff

SHA1
76ea5e568d598fb3b490675b7468ba25d6cc6fdb

SHA256
497a8d5a0cb22f5b90e2baad98199cdd92fc6f1727291bddfcbcef0bb9eb7af1

SHA512
824f6cec3154dd263ebcaa420bf24f7ad8406a94a9c0b80137aaa69c9fa32f921094004d35f2040697831bd20b6f0cc92921bba6151e6f2c3d371d3ef1e38572

Download Submit
C:\MSOCache\HOW_TO_DECRYPT.txt
Filesize
1KB

MD5
80207d0f8ea42bdfeaf9f5c586230aca

SHA1
747481fe2b0b6d81c3b19ba62d1e49eab6a5461f

SHA256
25edefb3b0678dfe0d927ff48ce67254359ba379df9468f634d02c026f0e7131

SHA512
73f68ce9e98d2346be1762bd54bb06ef83ae939dfbcf9b786d9b773fa454352613387d264b7a87a1c08950226553817bf01f5aa4107bc12de36a1689e2137304

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000015.db.JlkfU920apK1mOxE_Svq4D8bMZf8fFhwSTr7_F6Dqyg.hive
Filesize
64KB

MD5
a9d537f6407948f3b12fc0ba49036dbb

SHA1
41c2a87d8d56fe6bf5c7303d84138fdc6c6ed8cf

SHA256
bdd03dad021aa498910b7edf63000aa82e47ba210a530422264e41d432ccbfdd

SHA512
031fa2133fb4a8f2a56f79190e352642f6e7533d09a5453dd5b1b92f3d6a325ec6bddae86681c03dc6153a5e8941f32cb7a28a9ae36738da874fcd983342ed2a

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{71302124-CE6A-49A7-B5DA-E021C9CC2899}.2.ver0x0000000000000001.db.JlkfU920apK1mOxE_Svq4ADFdMk-QCMGXzpdBgmrRQA.hive
Filesize
2KB

MD5
7f63f2c6ffb3eed4f0fd8413f013a9a2

SHA1
f662d1c40220ad9dfd055c3c610238407d5e6580

SHA256
1217e0876a2dc315c2a777f38ef8c920515fe2d5651da06c5ff5c536b13fa7f8

SHA512
90636e39e599619c176ec4688518baee8e7c18f5ae4e011992b71c8837c53eba1277ba603d1b9d7ea16d543656bb6a7e32250cb1e5612d03efd71a5b900651b4

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.JlkfU920apK1mOxE_Svq4Fjuu9PYlYYHVjs3JNvdyXY.hive
Filesize
31KB

MD5
29aaa501aa973ae79c5fac07a535e1b3

SHA1
b6e7c299820386b348ccc61fb90825de0111f5af

SHA256
ed69d21fae97fa0225b5d6274d9383229edeed37a17b93184e3c7648a453e1d4

SHA512
38e9e33ec4cfbb09116781aabf843afa139fd66e8c5fdbcc1207462b1520f38b7c90ba108f515b16eb35233d7e2eec10bd6b35da632b183e84add3eb025a7c99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini
Filesize
174B

MD5
e0fd7e6b4853592ac9ac73df9d83783f

SHA1
2834e77dfa1269ddad948b87d88887e84179594a

SHA256
feea416e5e5c8aa81416b81fb25132d1c18b010b02663a253338dbdfb066e122

SHA512
289de77ffbe328388ad080129b7460712985d42076e78a3a545124881c30f564c5ef8fb4024d98903d88a6a187c60431a600f6ecbbe2888ee69e40a67ce77b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\hive.bat
Filesize
162B

MD5
fca5799115172398c63263fad7e854b1

SHA1
2874a1c796f511f94bed6ae020f4b20c38c59cf1

SHA256
27323f85f788e124f6024486f7d2a3dee9a1e88f2fc1617625b8612e47657663

SHA512
a03fecd20d94def5ea75015613d40656d85094eb5584993cd2d082b17badeef6833ae214dc1e8058bda0afe29d8a4cd9a805a2519b1ea76f2bc1cdb274a1841b

Download Submit
C:\Users\Admin\AppData\Local\Temp\shadow.bat
Filesize
57B

MD5
df5552357692e0cba5e69f8fbf06abb6

SHA1
4714f1e6bb75a80a8faf69434726d176b70d7bd8

SHA256
d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8

SHA512
a837555a1175ab515e2b43da9e493ff0ccd4366ee59defe6770327818ca9afa6f3e39ecdf5262b69253aa9e2692283ee8cebc97d58edd42e676977c7f73d143d

Download Submit
C:\Users\Admin\Desktop\AddEdit.m4v.JlkfU920apK1mOxE_Svq4GQY_sMofy1aBBishza3vyo.hive
Filesize
40KB

MD5
9d5304e83d3e217446a0120cbdad1d64

SHA1
4606a3eb4d26415d00a282738a1c977a854d259b

SHA256
31d90a9174bc72a0c0f01bed9740f3de59bc24933846f1ac390c59252588cdda

SHA512
0e92b06f58b3da7164015e30e43c797b5055217950c12811c246aa286fab4741849892f769274f81bb6649344db4c1dc786def26ba4f1a3cd76215325db34ec0

Download Submit
C:\Users\Admin\Desktop\AddSet.7z.JlkfU920apK1mOxE_Svq4K_DpkmDAgxxJiHbZ27_gFk.hive
Filesize
49KB

MD5
e73decbf671c12bce353af3879608975

SHA1
5fcbcf588ce9d52b5c16e2c1f466e29772b95ce2

SHA256
e0b76d2055416c039bcf4f432a871f64d1d1cc35b424920a0f56d86db6cd2788

SHA512
61d47d705f3e0307ca011dd31661e24266bb4678f85995daef0ecc565cdb49af9b5194e8d4db06c94eaaa3c36c67f38e144d836d260285b9b0e1c6b31dc690fd

Download Submit
C:\Users\Admin\Desktop\AssertLimit.vssm.JlkfU920apK1mOxE_Svq4Gnz8MqvpSJ0i3vh4jIc9iY.hive
Filesize
59KB

MD5
9ebfaacbcfdc0991b704700fa129425f

SHA1
84b4c10dcfe09ffa72827efadf5636e11619c0a6

SHA256
b8f82d67a5ebd81a89d78958ed1a71c2bc68e290aadf2382b09f26e4434077f4

SHA512
003c9a96a522400267717ab1d084fb580602017f53411f6ce0aa47de498fba7fc976ed9c6d7676975926bb62e1232b5b40921dd87deabc70e4472c779e6aadb3

Download Submit
C:\Users\Admin\Desktop\BackupGrant.jfif.JlkfU920apK1mOxE_Svq4CfvDRunPQpSoIDuo8ttu28.hive
Filesize
123KB

MD5
3dc7cbfcf5441aebc04ef710aac49d81

SHA1
1109e19f3e92d69b96ff617e160829fbba63245a

SHA256
970e4e4913d9f433f0287e8baf4af05828d1656a74d5da071c22aab0c84febe9

SHA512
850993ccba670da766b6ba799d7b258be14219e13c40bf4d3002efa62c065446da6c62fdf164afea6e46f5fa7661934ac53049e4d75086a22709615ec063606b

Download Submit
C:\Users\Admin\Desktop\CompleteConvert.wav.JlkfU920apK1mOxE_Svq4F1ZicPpWDVics5q8ud6omQ.hive
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Desktop\ConnectRedo.png.JlkfU920apK1mOxE_Svq4OOSerZ8rihgn_m4CSmD9GI.hive
Filesize
97KB

MD5
04233efd6aa59d4a36f98ab78113bbd9

SHA1
47759f6c6b425f45a333ff45e255bceb8a6bc5fa

SHA256
cee6748437f9ded01aa81af2a5855784d631793c9771e7e68bc3a86defdbdf96

SHA512
05aa43c4c752c61117bdf4b8c9004f5af4f3da2999462ee187416e362e6c5757dcccc9779dd8d010dfd20c0cec4c69bbc80cc80c0e92415bc05fe5ba198b7623

Download Submit
C:\Users\Admin\Desktop\ConvertFromSync.ttc.JlkfU920apK1mOxE_Svq4OxdpaDlqWsHTWlTB_26Ezc.hive
Filesize
2KB

MD5
9e5f998154b9ced573c9790173bf7829

SHA1
bb2dd1edad0850365b7912a80cfcd4bd90907e99

SHA256
874466fd07cd08c5b09da753e7ea8e7d17004659c0ee006b55785fb2d8ab76ca

SHA512
454257f74b744dd97c03017d688e6f15af1e6313203b1f5089c0339e517e4c4fa716ba687b27ff14f0819a654d91213cfb58b9a67659ee3707f4867bb545adbe

Download Submit
C:\Users\Admin\Desktop\DenyRename.aif.JlkfU920apK1mOxE_Svq4Omlvr2u38BX9tP6IRWxW2s.hive
Filesize
40KB

MD5
de461ae8dc7cfc72d5f88062c32483b9

SHA1
66fce19601ca5994498028bbe01cbd2c862b69d4

SHA256
f2bd613699394c64085954d4ede148a7e4f3247564bde12600c32f8f8de0456a

SHA512
e8237aea557edd07064ccd4af407e9d2f8d6c07bb0235aa1e03d178d1b0ffe4e225afe617e58a85010a08d6e97855b44e7887da443e99915ede19f19f4385de1

Download Submit
C:\Users\Admin\Desktop\DismountAssert.ttf.JlkfU920apK1mOxE_Svq4AlkP04NvFNvxuqCcqjObng.hive
Filesize
69KB

MD5
18f79f89152c4aa00f73e7d5f233672c

SHA1
6390384d7ca28f5556e00f8373e46b27c7bcb5c6

SHA256
5648f064159526e486fed0a171b5e6bbda7a9b38dab65cb96b35d7009bf2551e

SHA512
c69916d6fc41585610514f4fcf3a56599da00d3437fc2b8d1bed40024366323c63ab369ecf878c0831c3448e3114567fbe95271f2135b710357941ab5550afb8

Download Submit
C:\Users\Admin\Desktop\FormatMount.shtml.JlkfU920apK1mOxE_Svq4EDQ_MOa8_V7pDJIv5mRfnk.hive
Filesize
43KB

MD5
41254f7931e5f734421c09651ddec418

SHA1
91b25e06d92c872b602812889af49e7dfd6734d7

SHA256
9f294ece1e5b296f78d30d82d5c20d77bd7c378bd5bf065e54b2405902a6acde

SHA512
8620a9b762fd79e80011a0ac9892878c56e55fb0671867bf518a510a5a6f5c0b19bb952a5034d9816e17340934b67b4e0ee9bc4c04cd63b52426f19536a8a171

Download Submit
C:\Users\Admin\Desktop\MoveSplit.7z.JlkfU920apK1mOxE_Svq4K2AspVijhtzMNIQ0TzqNX4.hive
Filesize
179KB

MD5
a848cd440476253cc0e67233c34aa4ee

SHA1
dee73bf1bbe61111071cd15eb3f23d924dd9148e

SHA256
8f2b131a3395dd2cc6094c8b5cdb20e4845d939402deafacb89aaae38da68a19

SHA512
dc1d7fb689fb8b0f50aa961ba476b65aee0a8e028c3bba55a64e38764a98f6c59c35e35cff5dc93a4df1cb2c7a7e0d14f716779f7b0a13b91e19797f5d295818

Download Submit
C:\Users\Admin\Desktop\ReceiveSubmit.aif.JlkfU920apK1mOxE_Svq4E0gmXwR7dNV3YYAt37Yu3I.hive
Filesize
92KB

MD5
aeae90e2327ddead560fc7201c164af3

SHA1
14553cc460285183d1f86447da7f707602da70bf

SHA256
6edeb9662c6cf095bb41fbac52db50de97a7ffcc5dcd366b9df8f03a2e7ef3de

SHA512
5d349c31d62459f3f4ea947270d0a8cb39fe10f51bd0e9c92e8b912386c0dee2e8f6255b4d639a4bd084d471940d926ac035a1f0402f0b345b5557d64b900f14

Download Submit
C:\Users\Admin\Desktop\RepairResolve.shtml.JlkfU920apK1mOxE_Svq4Jr-A7QP358DSLyqUxhKZQY.hive
Filesize
100KB

MD5
dcccc14c534a16e269c73bdaf8472305

SHA1
c528b084defcfb25dda13c97d0838142a8abc288

SHA256
5f7090006a02c391ebef1b2e64b6a11949c006cdc8946172a7798662eb493950

SHA512
155d02df4696fcdc7481144119d98c18d50a4e00d57c875c073344a664e1b5917838186a97216d2e60a5392da248f3a8702e45e8bbb0887ea5a41ce044025902

Download Submit
C:\Users\Admin\Desktop\RequestSkip.tiff.JlkfU920apK1mOxE_Svq4O0fB_d5zkg_bUQxeT5g6z4.hive
Filesize
33KB

MD5
d1cf17292dc37a41f1e1947c06116dac

SHA1
d56e99a7c2a88a05be16140808b7a26e85e7576a

SHA256
89dfdd977f3b16fa2a17ea413cf70dab06080e2819cff6824cea584edb4102ff

SHA512
03bdc8174871076ff7604c709cdd993ccd38972d5a0ebbfd913c1e4fed8799856617eff669ea98e46e342a87f5face89eeba3d30a4e76f0b4c343fd5d0ea412f

Download Submit
C:\Users\Admin\Desktop\SendResume.jfif.JlkfU920apK1mOxE_Svq4OjaUyotVwsEl6nBbnShCyg.hive
Filesize
59KB

MD5
531c7e12bdabfa8b5a57b4930524dc2f

SHA1
52503ee6e023d9f049061051fbe4112f8fd71fe9

SHA256
a8eb87aca45ecccbd41c43a148dbb1f69ee3494ba1522d7462e588ed9e57fc3f

SHA512
643f0d7f579d56e628eadf4416e6484895a226fb66d2e89d11fe970967d81648acf942ddb1ad1cc84d480b7c63087acf4da99e8678f49a058ecb5cdd3d4ba825

Download Submit
C:\Users\Admin\Desktop\StartEdit.mp2v.JlkfU920apK1mOxE_Svq4AZEm07Zcz5_m-zAx_CuTw8.hive
Filesize
226KB

MD5
d26e07e2d14ffcf3a14497acc4b68408

SHA1
b8762e16fc6698b54f53484a79997dff2e7285c2

SHA256
ba79ae2dd13821873d56c6c2163ab16fce454560d0854fee8679f83ee7573304

SHA512
032869abb4e51a4eb545692f6546bec7b03b3a9c05e6fa30b52928cc3b3577ac7cb7bcf19f06c30db7f8c979e4b9781ac154aafc9df88f4c573ac6c33058cb8b

Download Submit
C:\Users\Admin\Desktop\StartLock.wvx.JlkfU920apK1mOxE_Svq4CHZBrljwz9LXWV42fHZxxY.hive
Filesize
120KB

MD5
75e5b876f8afdb0b5f8907317aa43825

SHA1
d581368ccba763067b57e608a2c40e4c5b958268

SHA256
214ffea787b54bfdd7a1a651df99c46e529134ab423458b20c903660cdba6534

SHA512
25524321aa1c020eaaf6e39ac98453f4b10f1e27d782894eed60b75215c34e6c4c6cf04f68e67aa043d9835afeb078a23d927a325fe45f8e6a2546296418bcdc

Download Submit
C:\Users\Admin\Desktop\UndoNew.inf.JlkfU920apK1mOxE_Svq4LvLXEFqjvpSfNFBftznn00.hive
Filesize
179KB

MD5
a3c3b8888d352f665bd0732894798bdc

SHA1
501626c6a3f6d19baa8a16a7837b3a103f1967c5

SHA256
c9255c37a8807b68576ca55ee8729340b163971a09a74544a52520b4431d22d1

SHA512
8d97da483fcca67a3d4a34b228539ae2fe5c535dd470adef1c459966407c21269701d76ce5f6445f358e6dcfe5b93f2da20bf15ab11b0c3083d3ffa74920278a

Download Submit
C:\Users\Admin\Desktop\UninstallUnpublish.aif.JlkfU920apK1mOxE_Svq4FcNhfi0ytdex2TiDeHILnI.hive
Filesize
156KB

MD5
2544cfe4604b506a717c2086e5456cd2

SHA1
cfbf0b75e9b739c86b571ca9232e200cc688ebed

SHA256
1e8fa2d3f05b9f493cab9e45b7fd4d1e4aac30c6f04fa1146b256c97ca5bc13b

SHA512
864fe1ae2f7637420bdc0ef5cf7bcd90dd08f90e59e9b57757fab96943d5035d1403bd43d572b8e5debf8b3292cc1ef23e59991082338c57c02cfea2344ef164

Download Submit
C:\Users\Admin\Desktop\WatchReceive.wax.JlkfU920apK1mOxE_Svq4H3VwZVg5I9YHMfiZ8MAtTY.hive
Filesize
318KB

MD5
612e263f3ad61777e7201110c1585897

SHA1
22de43888096ef44a0645f6ff8882dba0a3eba85

SHA256
e77b5cb5db86cb8b124edb484d3f3e9ee453d355056b84add74b494731daae41

SHA512
2e91ae94a2b8c7cafbce2ef36ed92a68d2df0fc23569adb0d2d0402ac85bd11f4492cc76dc0db2072dbc97282c71ff26e9e32e1a94212129e695175200f0ea30

Download Submit
C:\Users\Admin\Desktop\WriteProtect.wma.JlkfU920apK1mOxE_Svq4PFxwCqMyt9jUYgnrGfH8yw.hive
Filesize
231KB

MD5
88ebcf903369a9c9fedc4ac65396e0dd

SHA1
ef8863b70480d42dd5cceebbb1be387079d8f671

SHA256
394471c8b6c9a3afc613cfd3e99884082514cc24223dd182f9906ade8c39de79

SHA512
068ce537f4e252ca5b223ebd54c2edb0f39946ee6c231031f1cd3043f532cd9586ab098f67616c59c23df8f7cddbcd6526ef82d9e86e2b42ab2161f84cab5f3f

Download Submit
C:\Users\Admin\Desktop\desktop.ini.JlkfU920apK1mOxE_Svq4HMynh203ONRG2JhOAkBjQI.hive
Filesize
282B

MD5
90764386e1042c148b2403ff77c7d379

SHA1
bd56fa84a57260a0c23ace2d2acbeb6f467e377d

SHA256
5ec11a2d7809b408140069aedc5e987c2b5eb6b8c5647c8e24aa0c62c4092f48

SHA512
51f58f31e19f833412385d315a8e5ed7e49cd3c3aad96ab11e7ea33d5f05d35574102a6df26fc3e0a2494fc58887a05414a10dc0fc2605b1ab71e79c12d38730

Download Submit
C:\Users\Public\Desktop\desktop.ini.JlkfU920apK1mOxE_Svq4KhF3F0xuBlti-oUzD-J5kA.hive
Filesize
174B

MD5
770e8934e26d1b8d5c51f5686da1ae57

SHA1
d34d9e1e2320726d4e28efe4c698948d9008929e

SHA256
6a801c20102648f9cb1b5c377090885b924b672ca978ba51a519e42c50d64224

SHA512
5fc3109a9f42f97b2dcc3672ae1ad77fae63e5e97caf56bea00fce32a951e3b53a5709c44921bebe8c7635d4eb3daf04b6e43bf6fac2608323fba6f10609e330

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3470981204-343661084-3367201002-1000\desktop.ini
Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
memory/112-17342-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/112-17323-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/2928-15250-0x0000000000F70000-0x00000000011D3000-memory.dmp

Filesize
2.4MB

Download
memory/2928-17261-0x0000000000F70000-0x00000000011D3000-memory.dmp

Filesize
2.4MB

Download
memory/2928-0-0x0000000000F70000-0x00000000011D3000-memory.dmp

Filesize
2.4MB

Download
memory/2928-2197-0x0000000000F70000-0x00000000011D3000-memory.dmp

Filesize
2.4MB

Download
memory/2928-5133-0x0000000000F70000-0x00000000011D3000-memory.dmp

Filesize
2.4MB

Download
memory/2928-7924-0x0000000000F70000-0x00000000011D3000-memory.dmp

Filesize
2.4MB

Download
memory/2928-11493-0x0000000000F70000-0x00000000011D3000-memory.dmp

Filesize
2.4MB

Download
memory/2928-16895-0x0000000000F70000-0x00000000011D3000-memory.dmp

Filesize
2.4MB

Download
memory/2928-17260-0x0000000000F70000-0x00000000011D3000-memory.dmp

Filesize
2.4MB

Download
memory/2928-2-0x0000000000F70000-0x00000000011D3000-memory.dmp

Filesize
2.4MB

Download
memory/2928-17322-0x0000000000F70000-0x00000000011D3000-memory.dmp

Filesize
2.4MB

Download
memory/2928-17262-0x0000000000F70000-0x00000000011D3000-memory.dmp

Filesize
2.4MB

Download
memory/2928-1-0x0000000000F70000-0x00000000011D3000-memory.dmp

Filesize
2.4MB

Download
memory/2928-17338-0x0000000000F70000-0x00000000011D3000-memory.dmp

Filesize
2.4MB

Download
memory/2928-17339-0x0000000000F70000-0x00000000011D3000-memory.dmp

Filesize
2.4MB

Download
memory/2928-17263-0x0000000000F70000-0x00000000011D3000-memory.dmp

Filesize
2.4MB

Download
memory/2928-17345-0x0000000000F70000-0x00000000011D3000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads