hive | af9e8f301a3677b457345921d7ee765a842eceb7df107714eaffc6193bfc6bbe

Analysis

max time kernel
143s
max time network
130s
platform
windows10-1703_x64
resource
win10-20231220-en
resource tags

arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
submitted
12-02-2024 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hive.exe
Size

764KB
MD5

2f9fc82898d718f2abe99c4a6fa79e69
SHA1

9d336b8911c8ffd7cc809e31d5b53796bb0cc7bb
SHA256

88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1
SHA512

19f0879b1c54d305ab7a97a0d46ab79c103d4687fe37d5f9ef1934904eea48a1c66b1ac2de3dace6dc0d91623309287044c198cb0b3fc9f8453fbc9d1c0cae8b
SSDEEP

12288:CinNFNkY/yU97ppM4NSBG81Np2C9H4S3iDjlLtc4wCIITIQaOI6NrwacVYV+4MsT:CinN3n/y67jM4v4kCSPDjlLtbwt8IQLH

Score

10^/10

hive persistence ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\$Recycle.Bin\HOW_TO_DECRYPT.txt

Family

hive

Ransom Note

Your network has been breached and all data is encrypted. To decrypt all the data you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: EQA9oydTxwXS Password: vNtgAgb3kMFmCooANNQr Follow the guidelines below to avoid losing your data: - Do not shutdown or reboot your computers, unmount external storages. - Do not try to decrypt data using third party software. It may cause irreversible damage. - Do not fool yourself. Encryption has perfect secrecy and it's impossible to decrypt without knowing the key. - Do not modify, rename or delete *.key.hive files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to authorities. The negotiation process will be terminated immediately and the key will be erased. - Do not reject to purchase. Your sensitive data will be publicly disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

URLs

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

Signatures

Detects Go variant of Hive Ransomware 15 IoCs

Processes:

resource	yara_rule
behavioral6/memory/2196-1-0x0000000000160000-0x00000000003C3000-memory.dmp	hive_go
behavioral6/memory/2196-2-0x0000000000160000-0x00000000003C3000-memory.dmp	hive_go
behavioral6/memory/2196-3005-0x0000000000160000-0x00000000003C3000-memory.dmp	hive_go
behavioral6/memory/2196-5109-0x0000000000160000-0x00000000003C3000-memory.dmp	hive_go
behavioral6/memory/2196-7663-0x0000000000160000-0x00000000003C3000-memory.dmp	hive_go
behavioral6/memory/2196-13495-0x0000000000160000-0x00000000003C3000-memory.dmp	hive_go
behavioral6/memory/2196-16201-0x0000000000160000-0x00000000003C3000-memory.dmp	hive_go
behavioral6/memory/2196-19930-0x0000000000160000-0x00000000003C3000-memory.dmp	hive_go
behavioral6/memory/2196-21363-0x0000000000160000-0x00000000003C3000-memory.dmp	hive_go
behavioral6/memory/2196-21367-0x0000000000160000-0x00000000003C3000-memory.dmp	hive_go
behavioral6/memory/2196-21371-0x0000000000160000-0x00000000003C3000-memory.dmp	hive_go
behavioral6/memory/2196-21376-0x0000000000160000-0x00000000003C3000-memory.dmp	hive_go
behavioral6/memory/2196-21383-0x0000000000160000-0x00000000003C3000-memory.dmp	hive_go
behavioral6/memory/2196-21393-0x0000000000160000-0x00000000003C3000-memory.dmp	hive_go
behavioral6/memory/2196-21396-0x0000000000160000-0x00000000003C3000-memory.dmp	hive_go

Hive
A ransomware written in Golang first seen in June 2021.
ransomware hive
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Drops file in Drivers directory 18 IoCs

Processes:

hive.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\de-DE\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\HOW_TO_DECRYPT.txt	hive.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Drops startup file 4 IoCs

Processes:

hive.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	hive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.N1wJhuy-ikFYX1xdI_pK2IRkL7jZ0Bgs8y1-G4tDC3I.hive	hive.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral6/memory/2196-0-0x0000000000160000-0x00000000003C3000-memory.dmp	upx
behavioral6/memory/2196-1-0x0000000000160000-0x00000000003C3000-memory.dmp	upx
behavioral6/memory/2196-2-0x0000000000160000-0x00000000003C3000-memory.dmp	upx
behavioral6/memory/2196-3005-0x0000000000160000-0x00000000003C3000-memory.dmp	upx
behavioral6/memory/2196-5109-0x0000000000160000-0x00000000003C3000-memory.dmp	upx
behavioral6/memory/2196-7663-0x0000000000160000-0x00000000003C3000-memory.dmp	upx
behavioral6/memory/2196-13495-0x0000000000160000-0x00000000003C3000-memory.dmp	upx
behavioral6/memory/2196-16201-0x0000000000160000-0x00000000003C3000-memory.dmp	upx
behavioral6/memory/2196-19930-0x0000000000160000-0x00000000003C3000-memory.dmp	upx
behavioral6/memory/2196-21363-0x0000000000160000-0x00000000003C3000-memory.dmp	upx
behavioral6/memory/2196-21367-0x0000000000160000-0x00000000003C3000-memory.dmp	upx
behavioral6/memory/2196-21371-0x0000000000160000-0x00000000003C3000-memory.dmp	upx
behavioral6/memory/2196-21376-0x0000000000160000-0x00000000003C3000-memory.dmp	upx
behavioral6/memory/2196-21383-0x0000000000160000-0x00000000003C3000-memory.dmp	upx
behavioral6/memory/2196-21393-0x0000000000160000-0x00000000003C3000-memory.dmp	upx
behavioral6/memory/2196-21396-0x0000000000160000-0x00000000003C3000-memory.dmp	upx

Drops desktop.ini file(s) 64 IoCs

Processes:

hive.exe

description	ioc	process
File opened for modification	C:\Program Files\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	hive.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	hive.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	hive.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	hive.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	hive.exe
File opened for modification	C:\Users\Public\desktop.ini	hive.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	hive.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	hive.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	hive.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	hive.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3934047325-4097474570-3437169968-1000\desktop.ini	hive.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3934047325-4097474570-3437169968-1000\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	hive.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	hive.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	hive.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	hive.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	hive.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	hive.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	hive.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	hive.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	hive.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	hive.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	hive.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	hive.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	hive.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	hive.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	hive.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	hive.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	hive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	hive.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	hive.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	hive.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	hive.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	hive.exe

Drops file in System32 directory 64 IoCs

Processes:

hive.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_fsantivirus.inf_amd64_d27ea3c67cf339a9\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_bb379132d2c203f7\Amd64\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\uicciso.inf_amd64_ab77a5dd693a6343\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\uaspstor.inf_amd64_19ad862819aa6959\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\Licenses\neutral\Volume\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\Volume\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgl009.inf_amd64_f44e0dacbcdc7622\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndisimplatform.inf_amd64_2fade3bf826385f9\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\WCN\de-DE\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_EnvironmentResource\en-US\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\fr-FR\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wmbclass_wmc_union.inf_amd64_59ecd0de1b9c2bd9\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prndlclv.inf_amd64_e2158c7cf3110141\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0014\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\bg-BG\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmntt1.inf_amd64_1f02a6263a706929\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netmlx4eth63.inf_amd64_1494a807d41d4e3d\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnekcl2.inf_amd64_0a4ef5f40c1abe07\amd64\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetNat\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\fi-FI\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\spp\tokens\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PnpDevice\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\spp\tokens\skus\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\Speech_OneCore\Common\zh-CN\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\es-ES\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmcom1.inf_amd64_c805643d44354d5b\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\fr-FR\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_scmvolume.inf_amd64_f7a20be951600f52\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usb.inf_amd64_9d11c732890f6cba\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\en-US\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmbw561.inf_amd64_ede380323efcbed0\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\sdfrd.inf_amd64_eec092acf44d0f6e\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\SMI\Store\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_net.inf_amd64_95255160f12fc865\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSwitchTeam\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\IME\SHARED\res\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\it-IT\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\networklist\icons\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\WCN\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnge001.inf_amd64_e697c1d4e9d89b07\Amd64\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\de-DE\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\CimCmdlets\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\es-ES\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\en-US\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAny\ja-JP\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ialpssi_i2c.inf_amd64_8e00e1aed7fbdf70\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmhandy.inf_amd64_bb9338851f6bc758\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\fr\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\IME\IMEKR\APPLETS\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmaiwat.inf_amd64_e4992c1693234ea0\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\Licenses\neutral\_Default\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmdf56f.inf_amd64_379b4549d3e536ff\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net819xp.inf_amd64_ded518ad79c316ac\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wpdmtphw.inf_amd64_93847c0f3602751f\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\International\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\Configuration\ConfigurationStatus\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\F12\de-DE\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Dism\es\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\Speech_OneCore\Common\fr-CA\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\SysWOW64\en-US\HOW_TO_DECRYPT.txt	hive.exe

Drops file in Program Files directory 64 IoCs

Processes:

hive.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-100.png	hive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PeopleSplashScreen.scale-100.png	hive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\ClrCompression.dll	hive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\star.png	hive.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_radio_selected_18.svg	hive.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui	hive.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\resources.jar	hive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\css\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Xml.Linq.dll	hive.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\bn_60x42.png	hive.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\powerpointmui.msi.16.en-us.boot.tree.dat.N1wJhuy-ikFYX1xdI_pK2IZhj3QyXaYSEe04Bqg-8jY.hive	hive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-48.png	hive.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\ui-strings.js.N1wJhuy-ikFYX1xdI_pK2D8ESmK8bJQdCYz9wWd8u2I.hive	hive.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-libraryloader-l1-1-0.dll.N1wJhuy-ikFYX1xdI_pK2GkzkGyrY2J-VcvAlNpBGGs.hive	hive.exe
File created	C:\Program Files (x86)\Adobe\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Particles\butterfly.respack	hive.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-up-pressed.gif	hive.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD.HXS	hive.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\mobile\en-GB\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ppd.xrm-ms	hive.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorSplashScreen.contrast-black_scale-125.png	hive.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-pl.xrm-ms	hive.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libssl-1_1-x64.dll	hive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-black\Square71x71Logo.scale-100.png	hive.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso40UIwin32client.dll	hive.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.scale-125.png	hive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageStoreLogo.scale-100.png	hive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\SharpDXEngine\Rendering\Shaders\Builtin\HLSL\Textured.fx	hive.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\scan_poster.jpg	hive.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONBttnIE.dll.N1wJhuy-ikFYX1xdI_pK2P1Zv609tpJ1i5VnH0F9d3Y.hive	hive.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_close_h.png.N1wJhuy-ikFYX1xdI_pK2I9nN2zl_ts7UQyHDdouhXI.hive	hive.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui	hive.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml.N1wJhuy-ikFYX1xdI_pK2Cr-IF54WAEpfdBsHEPAbms.hive	hive.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.Runtime.InteropServices.RuntimeInformation.dll.N1wJhuy-ikFYX1xdI_pK2BbqqpO8eGsJ4Q6mrZu8zHo.hive	hive.exe
File created	C:\Program Files (x86)\Windows Defender\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt	hive.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsWideTile.scale-200.png	hive.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-fr\ui-strings.js	hive.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\it-it\ui-strings.js	hive.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\currency.data	hive.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\ui-strings.js	hive.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ppd.xrm-ms.N1wJhuy-ikFYX1xdI_pK2NiWJwOhfN0g3m8RXX_gHzs.hive	hive.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\STRTEDGE.ELM.N1wJhuy-ikFYX1xdI_pK2CGmSRD3TR5RPluHZ7SkTHs.hive	hive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Assets\Wide310x150Logo.scale-200.png	hive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\km_16x11.png	hive.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL106.XML.N1wJhuy-ikFYX1xdI_pK2Pk9KGtYHxRjW_9rXX1rsXI.hive	hive.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml	hive.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\fr-FR\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ppd.xrm-ms	hive.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-40_altform-unplated_contrast-white.png	hive.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-400.png	hive.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Klondike\ResPacks\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\StoreRatingPromotion.dll	hive.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Voices\en-GB\HOW_TO_DECRYPT.txt	hive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\PopUp\Pop_up_Ok.png	hive.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroSup64.dll	hive.exe

Drops file in Windows directory 64 IoCs

Processes:

hive.exe

description	ioc	process
File created	C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_hu-hu_439feb4b4bf29ff6\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-p..ll-events.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_2d21c6c284c70223\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-winsrv.resources_31bf3856ad364e35_10.0.15063.0_de-de_b040ed5382bd684a\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-wordpad.resources_31bf3856ad364e35_10.0.15063.0_en-us_61fee7cddfb76684\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wcmsvc.resources_31bf3856ad364e35_10.0.15063.0_it-it_947109d126dffd73\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_wnetvsc_vfpp.inf.resources_31bf3856ad364e35_10.0.15063.0_it-it_4c674dcd6983951d\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\msil_vmconnect6.2.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_dc1fc24c3b9593dd\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-usermodensi.resources_31bf3856ad364e35_10.0.15063.0_de-de_aec8c3bb5e24a21b\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections.Concurrent\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mpg4decd_31bf3856ad364e35_10.0.15063.0_none_71b967829ad88a08\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..madvanced.resources_31bf3856ad364e35_10.0.15063.0_en-us_c05939fbc4cf3ff5\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-srhelper_31bf3856ad364e35_10.0.15063.0_none_bff83135934c4b33\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-bubbles.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_7fef2bbdc8ef497f\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ybinaries.resources_31bf3856ad364e35_10.0.15063.0_it-it_aaaf823cc0296ac6\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\x86_netfx4-system.data...ty.design.resources_b03f5f7f11d50a3a_4.0.14917.0_es-es_5435572b45b8a7ee\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-white\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_dual_mgtdyn.inf_31bf3856ad364e35_10.0.15063.0_none_f7aca62382d2b121\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wbiosrvc.resources_31bf3856ad364e35_10.0.15063.0_es-es_fc6ed764690f8dcf\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_netmlx4eth63.inf_31bf3856ad364e35_10.0.15063.0_none_d9e6edce8fcaecb9\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\Boot\PCAT\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-diagcpl.resources_31bf3856ad364e35_10.0.15063.0_it-it_a5d8f84aa265b9c0\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_system.web_b03f5f7f11d50a3a_10.0.15063.0_none_68cb07759e6cd1e7\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-n..pprovider.resources_31bf3856ad364e35_10.0.15063.0_es-es_a758479c384e4809\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.JScript\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-directshow-capture_31bf3856ad364e35_10.0.15063.0_none_c9ecfc6c58596f87\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mspaint.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_fc4ad1128a06d67d\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wifidisplay.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_c4a37372ab4c616f\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\Boot\EFI\sl-SI\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_netfx4-system.windows.forms.resources_b03f5f7f11d50a3a_4.0.14917.0_it-it_98eadfec9273018d\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\wow64_microsoft-onecore-s..chservice-component_31bf3856ad364e35_10.0.15063.0_none_c905967bf90e9182\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.DurableInstancing.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-internetmailcsp_31bf3856ad364e35_10.0.15063.0_none_0c41823c76acadc3\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_it-it_7e907bf73dd18cb3\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_netax88179_178a.inf_31bf3856ad364e35_10.0.15063.0_none_f738a61d029761ce\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.ContainerControl\v4.0_10.0.0.0__b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_netfx4-microsoft.tr..ridge.dtc.resources_b03f5f7f11d50a3a_4.0.14917.0_fr-fr_1bde428e370ea147\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-m..-comm-dll.resources_31bf3856ad364e35_10.0.15063.0_en-us_72a5281ca27c77ca\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.resources\2.0.0.0_de_b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..vice-core.resources_31bf3856ad364e35_10.0.15063.0_en-us_db38948284726d51\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_netfx-sos_dll_b03f5f7f11d50a3a_10.0.15063.0_none_85931a5e82c1ccb0\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_netfx4-regasm.resources_b03f5f7f11d50a3a_4.0.14917.0_ja-jp_0e74890c85c7ee78\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-d..directplay8-payload_31bf3856ad364e35_1.0.15063.0_none_fa622cd33ec493c0\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-s..ration-ui.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_ba93d68aff423d0e\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..ficiencywizard-task_31bf3856ad364e35_10.0.15063.0_none_8b04c957477d105a\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-o..ct-picker.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_1a69adeebb96063a\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_net7800-x64-n650f.inf.resources_31bf3856ad364e35_10.0.15063.0_en-us_3a1a2bc64d2cedbc\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-shenzhouttsvoicecommon_31bf3856ad364e35_10.0.15063.0_none_97901982b52fc171\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\msil_policy.1.0.microsof..commands.management_31bf3856ad364e35_10.0.15063.0_none_d0529fb67023608f\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\x86_netfx4-installcommon_sql_b03f5f7f11d50a3a_4.0.15552.17062_none_a4550d224185546b\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-deviceaccess.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_40e6e3a899f52012\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..ification.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_52051e7a17ba8435\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..cher-tool.resources_31bf3856ad364e35_10.0.15063.0_en-us_f7125781a9c62019\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..per-tcpip.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_16c4b1c3cad45bbe\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-cdosys.resources_31bf3856ad364e35_10.0.15063.0_nl-nl_ce4bf9ffcb694d3d\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.AddIn.Contract\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_c_netdriver.inf.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_05a3e76e843b94ba\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..orkstatus.resources_31bf3856ad364e35_10.0.15063.0_es-es_920d96bf59050f2a\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\msil_system.web.entity.design_b77a5c561934e089_10.0.15063.0_none_4f7c6360531fb406\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-bcrypt-dll_31bf3856ad364e35_10.0.15063.0_none_09f516f85c9523f2\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_10.0.15063.0_es-es_13f2c1336fc232df\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wwanhc.resources_31bf3856ad364e35_10.0.15063.0_en-us_cc8362d937ced863\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_ndisimplatform.inf.resources_31bf3856ad364e35_10.0.15063.0_es-es_bf83f10f9f509d73\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_netr28ux.inf_31bf3856ad364e35_10.0.15063.0_none_5323dd7c5c99aca1\HOW_TO_DECRYPT.txt	hive.exe
File created	C:\Windows\WinSxS\amd64_prnnecl2.inf.resources_31bf3856ad364e35_10.0.15063.0_es-es_2d3557a65674f876\HOW_TO_DECRYPT.txt	hive.exe

Checks SCSI registry key(s) 3 TTPs 26 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
4540	timeout.exe
4404	timeout.exe
1896	timeout.exe
520	timeout.exe
3988	timeout.exe
360	timeout.exe
1396	timeout.exe
2828	timeout.exe
4048	timeout.exe
428	timeout.exe
3964	timeout.exe
3248	timeout.exe
4144	timeout.exe
4436	timeout.exe
1936	timeout.exe
3760	timeout.exe
1848	timeout.exe
2332	timeout.exe
1112	timeout.exe
2068	timeout.exe
1080	timeout.exe
2472	timeout.exe
1928	timeout.exe
3908	timeout.exe
204	timeout.exe
396	timeout.exe
2384	timeout.exe
3828	timeout.exe
4004	timeout.exe
4692	timeout.exe
4976	timeout.exe
3552	timeout.exe
368	timeout.exe
5000	timeout.exe
1720	timeout.exe
516	timeout.exe
516	timeout.exe
3168	timeout.exe
360	timeout.exe
3548	timeout.exe
3836	timeout.exe
4124	timeout.exe
3232	timeout.exe
3024	timeout.exe
1720	timeout.exe
3688	timeout.exe
3752	timeout.exe
4564	timeout.exe
2468	timeout.exe
3424	timeout.exe
4224	timeout.exe
4168	timeout.exe
2836	timeout.exe
5088	timeout.exe
3424	timeout.exe
628	timeout.exe
2980	timeout.exe
240	timeout.exe
3548	timeout.exe
208	timeout.exe
2732	timeout.exe
2180	timeout.exe
2244	timeout.exe
4232	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchUI.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1052 vssadmin.exe

pid	process
1052	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

Processes:

SearchUI.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Internet Explorer\GPU	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 64 IoCs

Processes:

explorer.exeSearchUI.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133475442294302377"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "11645"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "11612"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f80cb859f6720028040b29b5540cc05aab60000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "2"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010006000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000fdc000000000000002000000e80702004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000d1e8483e895dda0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80702004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000bf92143e895dda0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000e80702004c0062006800200075006e006900720020007300760079007200660020006a006e007600670076006100740020006700620020006f00720020006f0068006500610072007100200067006200200071007600660070000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000002000000000000000000000000000000000000000000000000000000000000002e53293e895dda0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e7070c004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc7600000000000000000000000088e665653533da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e7070c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e7070c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1"	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

hive.exe

pid process

2196 hive.exe
2196 hive.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2644 vssvc.exe
Token: SeRestorePrivilege 2644 vssvc.exe
Token: SeAuditPrivilege 2644 vssvc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SearchUI.exe

pid process

2988 SearchUI.exe

pid	process
2196	hive.exe
2196	hive.exe

description	pid	process
Token: SeBackupPrivilege	2644	vssvc.exe
Token: SeRestorePrivilege	2644	vssvc.exe
Token: SeAuditPrivilege	2644	vssvc.exe

pid	process
2988	SearchUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

hive.execmd.execmd.exe

description	pid	process	target process
PID 2196 wrote to memory of 4080	2196	hive.exe	cmd.exe
PID 2196 wrote to memory of 4080	2196	hive.exe	cmd.exe
PID 2196 wrote to memory of 4080	2196	hive.exe	cmd.exe
PID 2196 wrote to memory of 2892	2196	hive.exe	cmd.exe
PID 2196 wrote to memory of 2892	2196	hive.exe	cmd.exe
PID 2196 wrote to memory of 2892	2196	hive.exe	cmd.exe
PID 2892 wrote to memory of 1052	2892	cmd.exe	vssadmin.exe
PID 2892 wrote to memory of 1052	2892	cmd.exe	vssadmin.exe
PID 2892 wrote to memory of 1052	2892	cmd.exe	vssadmin.exe
PID 4080 wrote to memory of 780	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 780	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 780	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 820	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 820	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 820	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 4692	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 4692	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 4692	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 4232	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 4232	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 4232	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 4976	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 4976	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 4976	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 2332	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 2332	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 2332	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 3424	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 3424	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 3424	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 3232	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 3232	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 3232	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 4232	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 4232	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 4232	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 2084	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 2084	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 2084	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 3988	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 3988	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 3988	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 2472	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 2472	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 2472	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 2244	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 2244	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 2244	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 1112	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 1112	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 1112	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 2384	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 2384	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 2384	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 628	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 628	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 628	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 3024	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 3024	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 3024	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 516	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 516	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 516	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 816	4080	cmd.exe	timeout.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\hive.exe
"C:\Users\Admin\AppData\Local\Temp\hive.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c hive.bat >NUL 2>NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:780

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:820

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:4692

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4232

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:4976

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2332

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3424

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3232

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:4232

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2084

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3988

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2472

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2244

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1112

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2384

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:628

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3024

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:516

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:816

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1052

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:360

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2828

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2180

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4288

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4432

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3548

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4804

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1604

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1720

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:360

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2552

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:4224

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1396

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:528

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:444

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2852

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2748

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2388

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4124

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3248

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:240

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:444

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:4540

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1604

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3548

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:704

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4272

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:4168

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1988

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2836

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3752

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3764

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:5000

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3964

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3908

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2396

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3512

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:208

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3552

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4768

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2068

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3884

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4428

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1928

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1720

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1532

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4568

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2984

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3168

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4324

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:5088

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1080

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:4404

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3612

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2732

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:368

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3464

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:236

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3352

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:4048

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3688

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4040

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4076

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1936

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3480

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4556

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4156

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3836

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2280

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2420

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1884

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4500

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:1668

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2980

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4824

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2244

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3828

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3584

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3216

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:204

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:4124

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3760

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3424

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:4564

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4592

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2944

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:3812

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4400

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4464

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1896

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:4144

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:2068

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:396

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2384

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:428

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:4004

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2468

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:4436

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4376

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:516

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:5040

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:520

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
PID:4768

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3964

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c shadow.bat >NUL 2>NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
PID:4700

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2988

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\HOW_TO_DECRYPT.txt
Filesize
1KB

MD5
80207d0f8ea42bdfeaf9f5c586230aca

SHA1
747481fe2b0b6d81c3b19ba62d1e49eab6a5461f

SHA256
25edefb3b0678dfe0d927ff48ce67254359ba379df9468f634d02c026f0e7131

SHA512
73f68ce9e98d2346be1762bd54bb06ef83ae939dfbcf9b786d9b773fa454352613387d264b7a87a1c08950226553817bf01f5aa4107bc12de36a1689e2137304

Download Submit
C:\$Recycle.Bin\S-1-5-21-3934047325-4097474570-3437169968-1000\desktop.ini
Filesize
129B

MD5
35167ab7882cfa0e57e29cb8201de1ed

SHA1
bb817bf693d4a3039e8a8ddd241b72b3d9fd0be2

SHA256
16f85f183000004a26e46fdf09808ce127778cf0879f0e1b51f41a105ee327ae

SHA512
ca43e4d56171769eae429a910b70686f959d7c53c8a269a1b5b1e3413ff2dbdded267db2f2e91d90e8f19b7f20a70dd1d085ce19a23814883b6948fa7fadb7c1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\SQWB85W4\microsoft.windows[1].xml
Filesize
97B

MD5
ffc33ad51339acd282862b996a5c30ce

SHA1
9ad8953d49c5005e239792c73c93879dd392a548

SHA256
253b640f28d7547188f664dc786145a539e41bf3e299621f90910ba358ff9634

SHA512
4f90205bebb6afbf8656b88e1adcea65ffcf894ba4aa5af0ac89b7fdcbb6fb089a851a88fa099e42f247402fe88c8db5645956c364939c4d1f0ea845762b5385

Download Submit
C:\Users\Admin\AppData\Local\Temp\hive.bat
Filesize
162B

MD5
fca5799115172398c63263fad7e854b1

SHA1
2874a1c796f511f94bed6ae020f4b20c38c59cf1

SHA256
27323f85f788e124f6024486f7d2a3dee9a1e88f2fc1617625b8612e47657663

SHA512
a03fecd20d94def5ea75015613d40656d85094eb5584993cd2d082b17badeef6833ae214dc1e8058bda0afe29d8a4cd9a805a2519b1ea76f2bc1cdb274a1841b

Download Submit
C:\Users\Admin\AppData\Local\Temp\shadow.bat
Filesize
57B

MD5
df5552357692e0cba5e69f8fbf06abb6

SHA1
4714f1e6bb75a80a8faf69434726d176b70d7bd8

SHA256
d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8

SHA512
a837555a1175ab515e2b43da9e493ff0ccd4366ee59defe6770327818ca9afa6f3e39ecdf5262b69253aa9e2692283ee8cebc97d58edd42e676977c7f73d143d

Download Submit
memory/2196-21367-0x0000000000160000-0x00000000003C3000-memory.dmp

Filesize
2.4MB

Download
memory/2196-16201-0x0000000000160000-0x00000000003C3000-memory.dmp

Filesize
2.4MB

Download
memory/2196-3005-0x0000000000160000-0x00000000003C3000-memory.dmp

Filesize
2.4MB

Download
memory/2196-5109-0x0000000000160000-0x00000000003C3000-memory.dmp

Filesize
2.4MB

Download
memory/2196-7663-0x0000000000160000-0x00000000003C3000-memory.dmp

Filesize
2.4MB

Download
memory/2196-13495-0x0000000000160000-0x00000000003C3000-memory.dmp

Filesize
2.4MB

Download
memory/2196-21396-0x0000000000160000-0x00000000003C3000-memory.dmp

Filesize
2.4MB

Download
memory/2196-21393-0x0000000000160000-0x00000000003C3000-memory.dmp

Filesize
2.4MB

Download
memory/2196-1-0x0000000000160000-0x00000000003C3000-memory.dmp

Filesize
2.4MB

Download
memory/2196-2-0x0000000000160000-0x00000000003C3000-memory.dmp

Filesize
2.4MB

Download
memory/2196-21383-0x0000000000160000-0x00000000003C3000-memory.dmp

Filesize
2.4MB

Download
memory/2196-19930-0x0000000000160000-0x00000000003C3000-memory.dmp

Filesize
2.4MB

Download
memory/2196-21363-0x0000000000160000-0x00000000003C3000-memory.dmp

Filesize
2.4MB

Download
memory/2196-0-0x0000000000160000-0x00000000003C3000-memory.dmp

Filesize
2.4MB

Download
memory/2196-21371-0x0000000000160000-0x00000000003C3000-memory.dmp

Filesize
2.4MB

Download
memory/2196-21376-0x0000000000160000-0x00000000003C3000-memory.dmp

Filesize
2.4MB

Download
memory/2988-14105-0x000001E9AA540000-0x000001E9AA560000-memory.dmp

Filesize
128KB

Download
memory/2988-14100-0x000001E9AA3C0000-0x000001E9AA3E0000-memory.dmp

Filesize
128KB

Download
memory/4700-16824-0x00007FF8849C0000-0x00007FF8849F3000-memory.dmp

Filesize
204KB

Download