Analysis
-
max time kernel
134s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
05-07-2024 16:42
Behavioral task
behavioral1
Sample
88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
18 signatures
150 seconds
Behavioral task
behavioral2
Sample
88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
Resource
win11-20240704-en
windows11-21h2-x64
18 signatures
150 seconds
General
-
Target
88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
-
Size
764KB
-
MD5
2f9fc82898d718f2abe99c4a6fa79e69
-
SHA1
9d336b8911c8ffd7cc809e31d5b53796bb0cc7bb
-
SHA256
88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1
-
SHA512
19f0879b1c54d305ab7a97a0d46ab79c103d4687fe37d5f9ef1934904eea48a1c66b1ac2de3dace6dc0d91623309287044c198cb0b3fc9f8453fbc9d1c0cae8b
-
SSDEEP
12288:CinNFNkY/yU97ppM4NSBG81Np2C9H4S3iDjlLtc4wCIITIQaOI6NrwacVYV+4MsT:CinN3n/y67jM4v4kCSPDjlLtbwt8IQLH
Score
10/10
Malware Config
Extracted
Path
C:\$Recycle.Bin\HOW_TO_DECRYPT.txt
Family
hive
Ransom Note
Your network has been breached and all data is encrypted.
To decrypt all the data you will need to purchase our decryption software.
Please contact our sales department at:
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Login: EQA9oydTxwXS
Password: vNtgAgb3kMFmCooANNQr
Follow the guidelines below to avoid losing your data:
- Do not shutdown or reboot your computers, unmount external storages.
- Do not try to decrypt data using third party software. It may cause irreversible damage.
- Do not fool yourself. Encryption has perfect secrecy and it's impossible to decrypt without knowing the key.
- Do not modify, rename or delete *.key.hive files. Your data will be undecryptable.
- Do not modify or rename encrypted files. You will lose them.
- Do not report to authorities. The negotiation process will be terminated immediately and the key will be erased.
- Do not reject to purchase. Your sensitive data will be publicly disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
URLs
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
Signatures
-
Detects Go variant of Hive Ransomware 15 IoCs
resource yara_rule behavioral1/memory/384-1-0x00000000006B0000-0x0000000000913000-memory.dmp hive_go behavioral1/memory/384-1923-0x00000000006B0000-0x0000000000913000-memory.dmp hive_go behavioral1/memory/384-3000-0x00000000006B0000-0x0000000000913000-memory.dmp hive_go behavioral1/memory/384-3516-0x00000000006B0000-0x0000000000913000-memory.dmp hive_go behavioral1/memory/384-4719-0x00000000006B0000-0x0000000000913000-memory.dmp hive_go behavioral1/memory/384-6471-0x00000000006B0000-0x0000000000913000-memory.dmp hive_go behavioral1/memory/384-7809-0x00000000006B0000-0x0000000000913000-memory.dmp hive_go behavioral1/memory/384-10703-0x00000000006B0000-0x0000000000913000-memory.dmp hive_go behavioral1/memory/384-12867-0x00000000006B0000-0x0000000000913000-memory.dmp hive_go behavioral1/memory/384-17690-0x00000000006B0000-0x0000000000913000-memory.dmp hive_go behavioral1/memory/384-19821-0x00000000006B0000-0x0000000000913000-memory.dmp hive_go behavioral1/memory/384-20711-0x00000000006B0000-0x0000000000913000-memory.dmp hive_go behavioral1/memory/384-21917-0x00000000006B0000-0x0000000000913000-memory.dmp hive_go behavioral1/memory/384-21918-0x00000000006B0000-0x0000000000913000-memory.dmp hive_go behavioral1/memory/384-21919-0x00000000006B0000-0x0000000000913000-memory.dmp hive_go -
Hive
A ransomware written in Golang first seen in June 2021.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Drops file in Drivers directory 20 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\de-DE\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\drivers\it-IT\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\drivers\uk-UA\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\drivers\es-ES\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\drivers\fr-FR\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\drivers\ja-JP\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\drivers\uk-UA\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.2IsxdCEZjn6OcoOXEGUF9pzeeNNkUxgtJm5e7McAXSo.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/384-0-0x00000000006B0000-0x0000000000913000-memory.dmp upx behavioral1/memory/384-1-0x00000000006B0000-0x0000000000913000-memory.dmp upx behavioral1/memory/384-1923-0x00000000006B0000-0x0000000000913000-memory.dmp upx behavioral1/memory/384-3000-0x00000000006B0000-0x0000000000913000-memory.dmp upx behavioral1/memory/384-3516-0x00000000006B0000-0x0000000000913000-memory.dmp upx behavioral1/memory/384-4719-0x00000000006B0000-0x0000000000913000-memory.dmp upx behavioral1/memory/384-6471-0x00000000006B0000-0x0000000000913000-memory.dmp upx behavioral1/memory/384-7809-0x00000000006B0000-0x0000000000913000-memory.dmp upx behavioral1/memory/384-10703-0x00000000006B0000-0x0000000000913000-memory.dmp upx behavioral1/memory/384-12867-0x00000000006B0000-0x0000000000913000-memory.dmp upx behavioral1/memory/384-17690-0x00000000006B0000-0x0000000000913000-memory.dmp upx behavioral1/memory/384-19821-0x00000000006B0000-0x0000000000913000-memory.dmp upx behavioral1/memory/384-20711-0x00000000006B0000-0x0000000000913000-memory.dmp upx behavioral1/memory/384-21917-0x00000000006B0000-0x0000000000913000-memory.dmp upx behavioral1/memory/384-21918-0x00000000006B0000-0x0000000000913000-memory.dmp upx behavioral1/memory/384-21919-0x00000000006B0000-0x0000000000913000-memory.dmp upx -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2547232018-1419253926-3356748848-1000\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files (x86)\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2547232018-1419253926-3356748848-1000\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Public\Videos\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Public\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Public\Music\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Public\Documents\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\Links\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_LogResource\ja-JP\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\es-ES\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmzyxel.inf_amd64_1edcf626fd489056\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForSome\de-DE\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_LogResource\it-IT\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\hr-HR\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\wbem\es-ES\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\Com\de-DE\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\Configuration\Schema\MSFT_FileDirectoryConfiguration\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmgl007.inf_amd64_41e31b5786c6884d\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\vhdmp.inf_amd64_aa94d04ecf56de1f\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\Configuration\Schema\MSFT_FileDirectoryConfiguration\fr-FR\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\Speech\Engines\TTS\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\wbem\Repository\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\Dism\es-ES\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\scmvolume.inf_amd64_6957cfb7d6fea5c7\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\de-DE\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Diagnostics\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\VpnClient\ja-JP\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\lltdio.inf_amd64_4faf5a37ebdbec2b\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmtdkj5.inf_amd64_6f327fe9ac4fdb28\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\netvwwanmp.inf_amd64_f9e30429669d7fff\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\nulhpopr.inf_amd64_9839c838c72c0594\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\pnpxinternetgatewaydevices.inf_amd64_82b90e51473d48ea\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\International\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Dism\en\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForSome\fr-FR\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\es-ES\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\c_smrdisk.inf_amd64_bbef253cecafbb1a\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\MUI\0411\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\en-US\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_LogResource\ja-JP\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\it-IT\Licenses\Volume\Professional\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\bg-BG\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmnokia.inf_amd64_9be5ff0f15b15eb7\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\scsidev.inf_amd64_55176c1890d480fe\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\XPSViewer\es-ES\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\fr-FR\Licenses\_Default\Professional\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\Configuration\Schema\MSFT_FileDirectoryConfiguration\de-DE\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\Configuration\Schema\MSFT_FileDirectoryConfiguration\en-US\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\it\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_PackageResource\ja-JP\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmdp2.inf_amd64_6550f790ed88c7ba\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\Licenses\neutral\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\Com\ja-JP\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\ja-JP\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\Configuration\PartialConfigurations\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\fr-FR\Licenses\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\de-DE\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\uk-UA\Licenses\_Default\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\0804\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\wpdcomp.inf_amd64_d5fc5f7282c9bafb\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\XPSViewer\es-ES\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\c_netdriver.inf_amd64_2d569d832b41b8df\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\hidtelephonydriver.inf_amd64_43fa6b1db642df7e\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\termkbd.inf_amd64_a0634dcf2da1127e\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\wvmic_ext.inf_amd64_34d742f3550dabd2\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\net8187bv64.inf_amd64_bc859d32f3e2f0d5\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\MailContactsCalendarSync\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationCore.resources.dll 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-oob.xrm-ms 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Sounds\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso30win32client.dll.2IsxdCEZjn6OcoOXEGUF9iIMTa0JpQ0gnteXYUyppUo.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\Icons\CamMDL2.ttf 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libmft_plugin.dll 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notetagsUI\main.js 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\es-es\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libsftp_plugin.dll.2IsxdCEZjn6OcoOXEGUF9uuJYlVu5zUmn8hGXKY2TzY.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupLargeTile.scale-150.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarWideTile.scale-125.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT.2IsxdCEZjn6OcoOXEGUF9hzSlQVdOAobnW94C65aCQs.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\sr.pak.2IsxdCEZjn6OcoOXEGUF9pd331bwOAlzRCDCjyvAFwo.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-ms.2IsxdCEZjn6OcoOXEGUF9uRumNskAAcgF3I4y9cAwHg.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\de-de\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.ConnectionUI.Dialog.dll.2IsxdCEZjn6OcoOXEGUF9nEocek3USl0adVuL2DkEmo.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 7.0.16 (x64).swidtag 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.187.41\msedgeupdateres_sr-Cyrl-BA.dll 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\ui-strings.js.2IsxdCEZjn6OcoOXEGUF9mbyLoNP0AVVSjWSXF7Tjng.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms.2IsxdCEZjn6OcoOXEGUF9pmj6jf39x0MywUa0ntxDQk.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32_altform-unplated.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteWideTile.scale-100.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp.2IsxdCEZjn6OcoOXEGUF9mi6nx_fjIp3t5xL5Qed4QA.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceDaYi.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupMedTile.scale-125.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\lpcstrings.json 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\powerview.x-none.msi.16.x-none.tree.dat.2IsxdCEZjn6OcoOXEGUF9nRUqG_XgRRNZcFiRWuCXiY.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-64.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-125.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\upsell.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\nb.pak.2IsxdCEZjn6OcoOXEGUF9rlnlILsVTwomPRp0UI7BWY.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ul-oob.xrm-ms.2IsxdCEZjn6OcoOXEGUF9iScnC0Fq1oePzoeYZeghD4.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\AppxManifest.xml 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBUI6.CHM 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeGreaterThan.ps1 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Mozilla Firefox\IA2Marshal.dll.2IsxdCEZjn6OcoOXEGUF9vKav1SZfuBqypE5aQKYPHU.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash_11-lic.gif.2IsxdCEZjn6OcoOXEGUF9gLBdNccUvVRoOajTCQlQnM.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\jsse.jar.2IsxdCEZjn6OcoOXEGUF9nPb5Gtahmk0vcKrp8clYBA.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_K_COL.HXK 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-16.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-256_altform-lightunplated.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\ReachFramework.resources.dll 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png.2IsxdCEZjn6OcoOXEGUF9kdTRb66JeIvwtgfhBuprhQ.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe.2IsxdCEZjn6OcoOXEGUF9jWmDDOrkIRXt9dElJCtX2s.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe.2IsxdCEZjn6OcoOXEGUF9vqcJRWrmfkivgagrZZEsUg.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\EntityPickerIntl.dll.2IsxdCEZjn6OcoOXEGUF9hlSLh9CQYth4bD1ZDPqeUs.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.XmlSerializers.dll.2IsxdCEZjn6OcoOXEGUF9lY8xk35sXNZcIpvTSy672c.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\hostpolicy.dll 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockMedTile.contrast-white_scale-125.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_no.dll 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\fr-FR\PackageManagementDscUtilities.strings.psd1.2IsxdCEZjn6OcoOXEGUF9iQ9_C6e44wsrSQJwuHUbXs.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-20_altform-lightunplated.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pt-br\ui-strings.js 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\WindowsBase.resources.dll 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libinflate_plugin.dll 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE.2IsxdCEZjn6OcoOXEGUF9lOxQFo84Xs12Vb6bo3XZFQ.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ind_prog.gif 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ppd.xrm-ms 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL089.XML.2IsxdCEZjn6OcoOXEGUF9uwcMt3f39A9A5rlXN0YUBI.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.Principal\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_cpu.inf.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_dc13cf28a1dea4e8\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-kdcpw.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_906aed15acfb9996\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..rdenrollmentmanager_31bf3856ad364e35_10.0.19041.746_none_ce6bfbcadad4054f\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..gementwmi.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d21b2d27db59e874\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..torclient.resources_31bf3856ad364e35_10.0.19041.1_en-us_f48fd009dcb81c75\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-timezone-syncres_31bf3856ad364e35_10.0.19041.1_none_2a40316540aa4f3a\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..g-adminui.resources_31bf3856ad364e35_10.0.19041.1_es-es_6e1289330468160e\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-n..lprovider.resources_31bf3856ad364e35_10.0.19041.1_en-us_b2aac2063f02bbf3\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..sticstool.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_bc878392a6f92ccc\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..8-payload.resources_31bf3856ad364e35_10.0.19041.1_en-us_8b7c6f894779d4b8\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_dual_mdmomrn3.inf_31bf3856ad364e35_10.0.19041.1_none_213e826732487758\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_dual_usbport.inf_31bf3856ad364e35_10.0.19041.1_none_d54192b9b0949c86\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-msmq.resources_31bf3856ad364e35_10.0.19041.1_it-it_a943405a88a70095\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..baaupdate.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_872cba7c39d48e4e\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-cxhprovisioning_31bf3856ad364e35_10.0.19041.264_none_3756072d45cd9e22\r\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ctivities.resources_31bf3856ad364e35_10.0.19041.1_de-de_87546ce25029bc0f\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-fontext.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_995cd58f2975181b\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\Logs\DPX\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-ie-f12diagnosticstap_31bf3856ad364e35_11.0.19041.746_none_d3dacb61ffa82429\f\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-settingsynccore_31bf3856ad364e35_10.0.19041.264_none_5754081f862908dc\f\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-security-tokenbroker_31bf3856ad364e35_10.0.19041.264_none_81941817097d6ad9\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.1_none_30033f434a10c03b\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-time-service_31bf3856ad364e35_10.0.19041.546_none_66a0aaafcc19efa6\r\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-system-user-component_31bf3856ad364e35_10.0.19041.746_none_433309da997788da\f\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-lsa_31bf3856ad364e35_10.0.19041.1288_none_1b12314c11faf44f\f\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ompat-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_1ea6184230ef3b88\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-m..agnostics.resources_31bf3856ad364e35_10.0.19041.1_en-us_e308aacf5028c5bc\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-n..sh-helper.resources_31bf3856ad364e35_10.0.19041.1_de-de_f537abe99cee28a1\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_1394.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_18abfb34c13d1e13\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-iis-managementconsole_31bf3856ad364e35_10.0.19041.906_none_65f82ba919c64b11\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-iorate.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d2c7b958d748f740\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-raw-image-codec_31bf3856ad364e35_10.0.19041.746_none_5de782925eeebf9c\f\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_mdmsettingsprov.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ac6490f48102971d\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-pickerplatform_31bf3856ad364e35_10.0.19041.746_none_eee6f2fb559f805a\r\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..r-service.resources_31bf3856ad364e35_10.0.19041.1_it-it_0045d40071d3b1c1\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..edirector.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_ae1db47ab62c0550\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..enanceservice-rdbui_31bf3856ad364e35_10.0.19041.264_none_4172d33eec08dc48\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-vssapi-core.resources_31bf3856ad364e35_10.0.19041.1_de-de_3ac50fa641ec55af\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-azman.resources_31bf3856ad364e35_10.0.19041.1_de-de_1eb5c1b41ae46c4e\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-b..servicing.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_50efe1c272cffbe6\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..worker-v2.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_6d8560a0f3f603a7\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-security-kerberos_31bf3856ad364e35_10.0.19041.1288_none_5b9e83b565fd4c11\r\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-aerolite.resources_31bf3856ad364e35_10.0.19041.1_it-it_02416b37e9f8223a\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-shdocvw.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_a7bcfe2227b4535d\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\Temp\InFlight\1126c4c130ceda0105160000b818f816\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_cmbatt.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_05d01a77a31b22e9\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_ksfilter.inf.resources_31bf3856ad364e35_10.0.19041.1_de-de_87ac69ab754cd577\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-edp-util_31bf3856ad364e35_10.0.19041.546_none_cc8076c97817971b\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-r..tymanager.resources_31bf3856ad364e35_10.0.19041.1_es-es_5e719309f130e2c7\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-deviceaccess_31bf3856ad364e35_10.0.19041.1_none_c3647879797cd04d\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-flacdecoder_31bf3856ad364e35_10.0.19041.207_none_bf65af0eb7a111cf\r\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-m..a-casting-shell-ext_31bf3856ad364e35_10.0.19041.1_none_85ebd2ce905d7e55\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_dual_netvwifimp.inf_31bf3856ad364e35_10.0.19041.1_none_40b6493242d19500\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-commandlinehelp_31bf3856ad364e35_10.0.19041.1_none_8a1c4327a89528e3\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..trolpanel.resources_31bf3856ad364e35_11.0.19041.1_de-de_637c57bb03857b9b\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-pktmon-setup.resources_31bf3856ad364e35_10.0.19041.1_es-es_a21632d3b2e6ad58\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SystemApps\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\microsoft.system.package.metadata\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-japanese-nameinput_31bf3856ad364e35_10.0.19041.844_none_31558acc9ffb2f89\r\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-lxss-wsl.resources_31bf3856ad364e35_10.0.19041.1_de-de_58e44372ffcbee60\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-ntfs_31bf3856ad364e35_10.0.19041.1266_none_1b36fd42d21cefbc\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-rpc-endpointmapper_31bf3856ad364e35_10.0.19041.662_none_2872266c417996fa\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-e..mgmt-mdmdiagnostics_31bf3856ad364e35_10.0.19041.153_none_c53a7431a32f351e\r\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-rndis-usb-microport_31bf3856ad364e35_10.0.19041.1_none_7addd27bf208c224\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe -
Delays execution with timeout.exe 64 IoCs
pid Process 1248 timeout.exe 2400 timeout.exe 1696 timeout.exe 2772 timeout.exe 4972 timeout.exe 4084 timeout.exe 3408 timeout.exe 320 timeout.exe 5068 timeout.exe 752 timeout.exe 3976 timeout.exe 2244 timeout.exe 4736 timeout.exe 2532 timeout.exe 3116 timeout.exe 760 timeout.exe 1732 timeout.exe 4948 timeout.exe 3928 timeout.exe 2428 timeout.exe 4784 timeout.exe 4500 timeout.exe 5060 timeout.exe 1412 timeout.exe 2236 timeout.exe 3180 timeout.exe 4488 timeout.exe 2468 timeout.exe 2240 timeout.exe 2144 timeout.exe 2684 timeout.exe 1480 timeout.exe 3572 timeout.exe 3968 timeout.exe 3952 timeout.exe 4784 timeout.exe 1040 timeout.exe 3332 timeout.exe 320 timeout.exe 1028 timeout.exe 2848 timeout.exe 4784 timeout.exe 4048 timeout.exe 1948 timeout.exe 2536 timeout.exe 1128 timeout.exe 4864 timeout.exe 1596 timeout.exe 3304 timeout.exe 4328 timeout.exe 180 timeout.exe 448 timeout.exe 1116 timeout.exe 2536 timeout.exe 3772 timeout.exe 1400 timeout.exe 2460 timeout.exe 2312 timeout.exe 1848 timeout.exe 2404 timeout.exe 2392 timeout.exe 3116 timeout.exe 4120 timeout.exe 2900 timeout.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2547232018-1419253926-3356748848-1000\{C54DEE5D-F6B6-4848-BA23-A2B027292723} explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 384 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe 384 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeShutdownPrivilege 1696 explorer.exe Token: SeCreatePagefilePrivilege 1696 explorer.exe Token: SeShutdownPrivilege 1696 explorer.exe Token: SeCreatePagefilePrivilege 1696 explorer.exe Token: SeShutdownPrivilege 1696 explorer.exe Token: SeCreatePagefilePrivilege 1696 explorer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1696 explorer.exe 1696 explorer.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 1696 explorer.exe 1696 explorer.exe 1696 explorer.exe 1696 explorer.exe 1696 explorer.exe 1696 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 384 wrote to memory of 4860 384 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe 84 PID 384 wrote to memory of 4860 384 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe 84 PID 384 wrote to memory of 4860 384 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe 84 PID 384 wrote to memory of 1656 384 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe 85 PID 384 wrote to memory of 1656 384 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe 85 PID 384 wrote to memory of 1656 384 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe 85 PID 4860 wrote to memory of 4956 4860 cmd.exe 88 PID 4860 wrote to memory of 4956 4860 cmd.exe 88 PID 4860 wrote to memory of 4956 4860 cmd.exe 88 PID 4860 wrote to memory of 3932 4860 cmd.exe 89 PID 4860 wrote to memory of 3932 4860 cmd.exe 89 PID 4860 wrote to memory of 3932 4860 cmd.exe 89 PID 4860 wrote to memory of 2420 4860 cmd.exe 90 PID 4860 wrote to memory of 2420 4860 cmd.exe 90 PID 4860 wrote to memory of 2420 4860 cmd.exe 90 PID 4860 wrote to memory of 1028 4860 cmd.exe 91 PID 4860 wrote to memory of 1028 4860 cmd.exe 91 PID 4860 wrote to memory of 1028 4860 cmd.exe 91 PID 4860 wrote to memory of 4552 4860 cmd.exe 92 PID 4860 wrote to memory of 4552 4860 cmd.exe 92 PID 4860 wrote to memory of 4552 4860 cmd.exe 92 PID 4860 wrote to memory of 412 4860 cmd.exe 93 PID 4860 wrote to memory of 412 4860 cmd.exe 93 PID 4860 wrote to memory of 412 4860 cmd.exe 93 PID 4860 wrote to memory of 2772 4860 cmd.exe 94 PID 4860 wrote to memory of 2772 4860 cmd.exe 94 PID 4860 wrote to memory of 2772 4860 cmd.exe 94 PID 4860 wrote to memory of 5068 4860 cmd.exe 95 PID 4860 wrote to memory of 5068 4860 cmd.exe 95 PID 4860 wrote to memory of 5068 4860 cmd.exe 95 PID 4860 wrote to memory of 2532 4860 cmd.exe 96 PID 4860 wrote to memory of 2532 4860 cmd.exe 96 PID 4860 wrote to memory of 2532 4860 cmd.exe 96 PID 4860 wrote to memory of 752 4860 cmd.exe 97 PID 4860 wrote to memory of 752 4860 cmd.exe 97 PID 4860 wrote to memory of 752 4860 cmd.exe 97 PID 4860 wrote to memory of 448 4860 cmd.exe 98 PID 4860 wrote to memory of 448 4860 cmd.exe 98 PID 4860 wrote to memory of 448 4860 cmd.exe 98 PID 4860 wrote to memory of 1948 4860 cmd.exe 99 PID 4860 wrote to memory of 1948 4860 cmd.exe 99 PID 4860 wrote to memory of 1948 4860 cmd.exe 99 PID 4860 wrote to memory of 1600 4860 cmd.exe 100 PID 4860 wrote to memory of 1600 4860 cmd.exe 100 PID 4860 wrote to memory of 1600 4860 cmd.exe 100 PID 4860 wrote to memory of 3576 4860 cmd.exe 101 PID 4860 wrote to memory of 3576 4860 cmd.exe 101 PID 4860 wrote to memory of 3576 4860 cmd.exe 101 PID 4860 wrote to memory of 1500 4860 cmd.exe 102 PID 4860 wrote to memory of 1500 4860 cmd.exe 102 PID 4860 wrote to memory of 1500 4860 cmd.exe 102 PID 4860 wrote to memory of 1336 4860 cmd.exe 103 PID 4860 wrote to memory of 1336 4860 cmd.exe 103 PID 4860 wrote to memory of 1336 4860 cmd.exe 103 PID 4860 wrote to memory of 2244 4860 cmd.exe 105 PID 4860 wrote to memory of 2244 4860 cmd.exe 105 PID 4860 wrote to memory of 2244 4860 cmd.exe 105 PID 4860 wrote to memory of 3180 4860 cmd.exe 107 PID 4860 wrote to memory of 3180 4860 cmd.exe 107 PID 4860 wrote to memory of 3180 4860 cmd.exe 107 PID 4860 wrote to memory of 2536 4860 cmd.exe 108 PID 4860 wrote to memory of 2536 4860 cmd.exe 108 PID 4860 wrote to memory of 2536 4860 cmd.exe 108 PID 4860 wrote to memory of 2468 4860 cmd.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe"C:\Users\Admin\AppData\Local\Temp\88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe"1⤵
- Drops file in Drivers directory
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hive.bat >NUL 2>NUL2⤵
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4956
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3932
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2420
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1028
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4552
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:412
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2772
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:5068
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2532
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:752
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:448
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1948
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1600
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3576
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1500
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1336
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2244
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3180
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2536
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2468
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1248
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4224
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3332
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1416
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2308
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2240
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2384
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3612
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2144
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2684
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2756
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4948
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2840
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2428
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4148
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4084
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3116
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2392
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3304
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3864
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1116
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4972
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3112
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4644
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3116
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1416
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1480
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4784
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2400
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1128
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4468
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2320
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1924
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2404
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:320
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1072
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2232
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3428
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1800
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3296
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3992
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2424
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3572
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3092
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1696
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3596
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2124
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1028
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3132
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:760
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2848
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1020
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3968
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4628
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2360
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2096
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3312
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:752
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4784
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3952
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2420
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4924
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1596
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2208
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1400
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4120
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4488
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4184
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3896
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:752
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1044
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2460
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2900
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4076
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2312
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4724
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3480
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4500
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4328
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:732
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:5060
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3408
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3976
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1848
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:432
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4784
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1700
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4048
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2408
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1412
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2536
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3572
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:320
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1732
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2404
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2236
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4948
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:180
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4732
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2244
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3912
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3928
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3888
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1040
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4864
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1820
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4672
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3296
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2880
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4736
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4152
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1596
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3772
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4436
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2764
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shadow.bat >NUL 2>NUL2⤵PID:1656
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD580207d0f8ea42bdfeaf9f5c586230aca
SHA1747481fe2b0b6d81c3b19ba62d1e49eab6a5461f
SHA25625edefb3b0678dfe0d927ff48ce67254359ba379df9468f634d02c026f0e7131
SHA51273f68ce9e98d2346be1762bd54bb06ef83ae939dfbcf9b786d9b773fa454352613387d264b7a87a1c08950226553817bf01f5aa4107bc12de36a1689e2137304
-
Filesize
129B
MD5ac516db7a25e5422fd1e0067efecfde6
SHA176926b14a1024795b0ebc0bacdceef385e5074b3
SHA256a02ab70e95dbdb2f1504dd46db26fd5fe4342f3c9d48cd5520c3f1404017f577
SHA512bf30ed11f1fb1accf44cf291f32e72067a54f8a130959bf4c297163b4a4bec8c821cb66c1272e1c85b97c6a96fe66e3b35829013a1bb89699d70e84e4ed52496
-
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.2IsxdCEZjn6OcoOXEGUF9nL5RzaNKaYSgsNz-vkwehw.hive
Filesize622KB
MD5b72698e549b478425bffd89fc33bb511
SHA1b415b68bcb680b856140c93f75a90f358ce86878
SHA2569afdf2fcbc8f6a53c9716d01f72c8e0a5f43ebdae84558d7f50fb8f7056dd3b0
SHA512fc489037a7f4d97b7e2f349580f67df5650ce99e8b93d78eca75017ef762c8b7d553583db1ca9d7385aaee4ce63c8bb5129b7d57bf702fab30d4a6605f7394dc
-
Filesize
282B
MD599f01766121a7e6900bdb1e288445202
SHA169f701d12697cf5b023b573d7541d06a49957f3d
SHA256bcb1b2050f78a0f5c54c07bab95e56b7a680cbf307077f97c515fac56d5a9ad5
SHA5128acc52a90a7f71ad6930ec9de79d49b8306b7ba2f4b1f4dfb285f1a19d2742b6447fb0082bd3684e00e1e222931df1a02574438e84d8bdf3afda30d3fe23882b
-
Filesize
57B
MD5df5552357692e0cba5e69f8fbf06abb6
SHA14714f1e6bb75a80a8faf69434726d176b70d7bd8
SHA256d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8
SHA512a837555a1175ab515e2b43da9e493ff0ccd4366ee59defe6770327818ca9afa6f3e39ecdf5262b69253aa9e2692283ee8cebc97d58edd42e676977c7f73d143d