Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows11-21h2_x64 -
resource
win11-20240704-en -
resource tags
arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system -
submitted
05/07/2024, 16:42
Behavioral task
behavioral1
Sample
88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
18 signatures
150 seconds
Behavioral task
behavioral2
Sample
88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
Resource
win11-20240704-en
windows11-21h2-x64
18 signatures
150 seconds
General
-
Target
88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe
-
Size
764KB
-
MD5
2f9fc82898d718f2abe99c4a6fa79e69
-
SHA1
9d336b8911c8ffd7cc809e31d5b53796bb0cc7bb
-
SHA256
88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1
-
SHA512
19f0879b1c54d305ab7a97a0d46ab79c103d4687fe37d5f9ef1934904eea48a1c66b1ac2de3dace6dc0d91623309287044c198cb0b3fc9f8453fbc9d1c0cae8b
-
SSDEEP
12288:CinNFNkY/yU97ppM4NSBG81Np2C9H4S3iDjlLtc4wCIITIQaOI6NrwacVYV+4MsT:CinN3n/y67jM4v4kCSPDjlLtbwt8IQLH
Score
10/10
Malware Config
Extracted
Path
F:\$RECYCLE.BIN\HOW_TO_DECRYPT.txt
Family
hive
Ransom Note
Your network has been breached and all data is encrypted.
To decrypt all the data you will need to purchase our decryption software.
Please contact our sales department at:
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Login: EQA9oydTxwXS
Password: vNtgAgb3kMFmCooANNQr
Follow the guidelines below to avoid losing your data:
- Do not shutdown or reboot your computers, unmount external storages.
- Do not try to decrypt data using third party software. It may cause irreversible damage.
- Do not fool yourself. Encryption has perfect secrecy and it's impossible to decrypt without knowing the key.
- Do not modify, rename or delete *.key.hive files. Your data will be undecryptable.
- Do not modify or rename encrypted files. You will lose them.
- Do not report to authorities. The negotiation process will be terminated immediately and the key will be erased.
- Do not reject to purchase. Your sensitive data will be publicly disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
URLs
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
Signatures
-
Detects Go variant of Hive Ransomware 14 IoCs
resource yara_rule behavioral2/memory/5744-1-0x0000000000580000-0x00000000007E3000-memory.dmp hive_go behavioral2/memory/5744-2215-0x0000000000580000-0x00000000007E3000-memory.dmp hive_go behavioral2/memory/5744-4354-0x0000000000580000-0x00000000007E3000-memory.dmp hive_go behavioral2/memory/5744-6279-0x0000000000580000-0x00000000007E3000-memory.dmp hive_go behavioral2/memory/5744-9102-0x0000000000580000-0x00000000007E3000-memory.dmp hive_go behavioral2/memory/5744-15665-0x0000000000580000-0x00000000007E3000-memory.dmp hive_go behavioral2/memory/5744-19051-0x0000000000580000-0x00000000007E3000-memory.dmp hive_go behavioral2/memory/5744-20799-0x0000000000580000-0x00000000007E3000-memory.dmp hive_go behavioral2/memory/5744-20801-0x0000000000580000-0x00000000007E3000-memory.dmp hive_go behavioral2/memory/5744-21669-0x0000000000580000-0x00000000007E3000-memory.dmp hive_go behavioral2/memory/5744-21670-0x0000000000580000-0x00000000007E3000-memory.dmp hive_go behavioral2/memory/5744-21671-0x0000000000580000-0x00000000007E3000-memory.dmp hive_go behavioral2/memory/5744-21672-0x0000000000580000-0x00000000007E3000-memory.dmp hive_go behavioral2/memory/5744-21673-0x0000000000580000-0x00000000007E3000-memory.dmp hive_go -
Hive
A ransomware written in Golang first seen in June 2021.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3637012076-1497690007-2831451688-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Drops file in Drivers directory 8 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.F6MgNQjXQek376xd1mxc86Q_0W3Gb3I1pGjQDew01Wk.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/5744-0-0x0000000000580000-0x00000000007E3000-memory.dmp upx behavioral2/memory/5744-1-0x0000000000580000-0x00000000007E3000-memory.dmp upx behavioral2/memory/5744-2215-0x0000000000580000-0x00000000007E3000-memory.dmp upx behavioral2/memory/5744-4354-0x0000000000580000-0x00000000007E3000-memory.dmp upx behavioral2/memory/5744-6279-0x0000000000580000-0x00000000007E3000-memory.dmp upx behavioral2/memory/5744-9102-0x0000000000580000-0x00000000007E3000-memory.dmp upx behavioral2/memory/5744-15665-0x0000000000580000-0x00000000007E3000-memory.dmp upx behavioral2/memory/5744-19051-0x0000000000580000-0x00000000007E3000-memory.dmp upx behavioral2/memory/5744-20799-0x0000000000580000-0x00000000007E3000-memory.dmp upx behavioral2/memory/5744-20801-0x0000000000580000-0x00000000007E3000-memory.dmp upx behavioral2/memory/5744-21669-0x0000000000580000-0x00000000007E3000-memory.dmp upx behavioral2/memory/5744-21670-0x0000000000580000-0x00000000007E3000-memory.dmp upx behavioral2/memory/5744-21671-0x0000000000580000-0x00000000007E3000-memory.dmp upx behavioral2/memory/5744-21672-0x0000000000580000-0x00000000007E3000-memory.dmp upx behavioral2/memory/5744-21673-0x0000000000580000-0x00000000007E3000-memory.dmp upx -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files (x86)\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3637012076-1497690007-2831451688-1000\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Public\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\Links\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\Music\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Public\Videos\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3637012076-1497690007-2831451688-1000\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Public\Music\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\ServiceSet\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\mchgr.inf_amd64_ec6b084dd265a1b9\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\ws3cap.inf_amd64_cfe8f1c2f6f0f4f7\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\Configuration\Schema\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmmcom.inf_amd64_c4bc249cf104303d\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\Configuration\BaseRegistration\en-US\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\Msdtc\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DeliveryOptimization\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetLbfo\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PnpDevice\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\migwiz\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\VpnClient\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\audioendpoint.inf_amd64_cf61c05bbeae918c\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\c_scsiadapter.inf_amd64_9a76d5e774d7d362\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\hidscanner.inf_amd64_67efe0a12b41051a\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_59f44e80eef3e979\Amd64\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\WindowsPackageCab\en-US\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TLS\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\001d\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\c_barcodescanner.inf_amd64_f91bf80944154dc3\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmgl010.inf_amd64_6716e6aff916e768\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\storufs.inf_amd64_fe6eaa94381d8601\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\InstallShield\setupdir\0005\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\F12\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\Speech_OneCore\Common\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\en-US\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\en-US\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmrock3.inf_amd64_1cbcccffedbbc800\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\modemcsa.inf_amd64_da1669e192666780\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\wvmbusvideo.inf_amd64_38452bb97e6ec2c3\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\LogFiles\CloudFiles\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppBackgroundTask\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetQos\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\c_ucm.inf_amd64_e67432bb129152a3\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\netmlx5.inf_amd64_7aeb3e6bfcb2f0f1\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_72f156a5ee3f59e8\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\prnge001.inf_amd64_d06a04ca781e27cc\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\wbem\xml\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\ko-KR\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\ndisimplatformmp.inf_amd64_206e9e544d84356f\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\netr28ux.inf_amd64_d5996f2a9d9aa9e3\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsUpdate\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\mvumis.inf_amd64_f0f4d0c799bb854a\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\Licenses\neutral\_Default\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\NetworkList\Icons\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmtdkj6.inf_amd64_ed5dc5c0d7a73a6a\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\net2ic68.inf_amd64_23084e964d79333d\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\wvmic_guestinterface.inf_amd64_bc6cbac32f88b8d4\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\spp\tokens\pkeyconfig\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\hidcfu.inf_amd64_7d09abe473dca6d0\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\net44amd.inf_amd64_450d4b1e35cc8e0d\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\gl-ES\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\en-US\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\bg-BG\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Windows\SysWOW64\Configuration\PartialConfigurations\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\intelpep.inf_amd64_bd64144a4b3fd894\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmadc.inf_amd64_6eb176b62afdcbec\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\FileRepository\wpdmtp.inf_amd64_65c6e85dd12ce647\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\System32\DriverStore\Temp\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\ProcessSet\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\ui-strings.js.F6MgNQjXQek376xd1mxc88LjNpF47EFbYvJBSCPuxzk.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.DataWarehouse.dll.F6MgNQjXQek376xd1mxc8wMPcjzMtNkvPLfaJscUqiE.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Controls.Ribbon.resources.dll 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationCore.resources.dll 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clretwrc.dll.F6MgNQjXQek376xd1mxc84LmmgmiY90EOX2HUvhoiGw.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\en-US\PackageManagementDscUtilities.strings.psd1 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\QUAD.ELM 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-20_altform-unplated.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pt-br\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\da-dk\ui-strings.js 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ru-ru\ui-strings.js.F6MgNQjXQek376xd1mxc86PbYXe6Yi1oB6vi4r_G7lU.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Program Files\VideoLAN\VLC\plugins\services_discovery\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Theme_Illustration_Seasons_Winter_Center_Dark.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\ui-strings.js 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.dll.F6MgNQjXQek376xd1mxc8-rptYLOIeQAoADEFyraKBM.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as80.xsl 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.F6MgNQjXQek376xd1mxc80KxNnbJlXc4a5adEPrCdz0.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-30_altform-unplated.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationFramework.resources.dll 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-64_contrast-black.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\ColorPicker.js 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-36_altform-lightunplated.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\VisualElements\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md.F6MgNQjXQek376xd1mxc80_koOaqOLsG4xb5YK22UzM.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-white\PowerAutomateSplashScreen.scale-250.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsAppList.scale-100_contrast-white.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reminders_18.svg.F6MgNQjXQek376xd1mxc8xUzUrwLpEgHL7q1Y8e58iI.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL065.XML 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_x64__8wekyb3d8bbwe\Assets\Icons\StickyNotesAppList.targetsize-256_contrast-white.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Locales\ar.pak.DATA 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\Locales\is.pak.F6MgNQjXQek376xd1mxc88q14GJCjAZLt7h40K-weEI.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2020.503.58.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\CameraBadgeLogo.scale-200.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\SnipSketchAppList.targetsize-64_altform-lightunplated.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorLargeTile.scale-100_contrast-white.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\DocumentCard\DocumentCardTitle.base.js 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Locales\devtools\pt-BR.pak.DATA 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\Announced.js 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fi-fi\ui-strings.js.F6MgNQjXQek376xd1mxc86V7HvAQJJVN2jZyt4j2zAg.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-pl.xrm-ms 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_x64__8wekyb3d8bbwe\XboxStub.winmd 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_neutral_split.scale-125_8wekyb3d8bbwe\Win10\contrast-white\MicrosoftSolitaireSplashScreen.scale-125_contrast-white.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-64_altform-unplated_contrast-white.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-white\GetHelpAppList.targetsize-256_contrast-white.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\models\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\SnipSketchAppList.targetsize-16.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_contrast-black.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ObjectModel.dll.F6MgNQjXQek376xd1mxc8-WR7QoOj4sp0Zji7SaucQY.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt.F6MgNQjXQek376xd1mxc80bubqSH2Aw4ABUSsUimrTU.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoev.exe 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.Tools.Applications.Runtime.dll.F6MgNQjXQek376xd1mxc8zEFozIWyeglv_PLZuubmjk.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\WeatherMedTile.scale-125_contrast-black.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\PeopleLargeTile.scale-200.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\en-US.pak 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-black\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Resources\fi-fi\Resources.resw 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\GenericMailBadge.scale-400.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\faf_icons.png.F6MgNQjXQek376xd1mxc8-9DxdJqOllY513WAVgglw8.hive 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Program Files\WindowsApps\Microsoft.People_2020.901.1724.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_neutral_split.scale-100_8wekyb3d8bbwe\Images\Square150x150Logo.scale-100.png 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..native-whitebox-isv_31bf3856ad364e35_10.0.22000.120_none_e4b70edd74d735f3\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\servicing\Version\10.0.22000.469\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-printing-winrt-core_31bf3856ad364e35_10.0.22000.120_none_efd6409490b360ca\f\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-u..stratorcore-regkeys_31bf3856ad364e35_10.0.22000.1_none_f802221d0a02efa2\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-webio.resources_31bf3856ad364e35_10.0.22000.1_en-us_55bd368c3d7343e9\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_windows-media-speech-winrt.resources_31bf3856ad364e35_10.0.22000.348_pl-pl_5eb237c088041a85\r\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-recoverydrive_31bf3856ad364e35_10.0.22000.132_none_23ef129810e14356\f\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..component.resources_31bf3856ad364e35_10.0.22000.120_sk-sk_651ca47084f3510d\f\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\wow64_microsoft-windows-s..-credential-manager_31bf3856ad364e35_10.0.22000.41_none_3e2aefdcd78a4fc0\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-windowmanagementapi_31bf3856ad364e35_10.0.22000.1_none_94d798fa96be65c3\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..ltinstall.resources_31bf3856ad364e35_10.0.22000.1_en-us_0720599b766302e4\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-netcfg.resources_31bf3856ad364e35_10.0.22000.1_en-us_8e371eb2260fc1b6\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-timebroker_31bf3856ad364e35_10.0.22000.1_none_240183e1772a3f68\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-g..onenumberformatting_31bf3856ad364e35_10.0.22000.1_none_d16a35eddef5e22b\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..-migregdb.resources_31bf3856ad364e35_10.0.22000.1_en-us_16f5b9ce267e1a58\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-h..applicationguardcsp_31bf3856ad364e35_10.0.22000.1_none_4b036fe6a2417044\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..l-keyboard-00040437_31bf3856ad364e35_10.0.22000.1_none_cca7b8d1318fa9eb\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_system.text.encoding_b03f5f7f11d50a3a_4.0.15806.0_none_e7f7bdfc586a36e9\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-kmcl_31bf3856ad364e35_10.0.22000.348_none_6ea8a4cee19ec091\f\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-speechengine.resources_31bf3856ad364e35_10.0.22000.1_en-us_6f19b7dfdafd3277\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\msil_microsoft.windows.a..agemanager.commands_31bf3856ad364e35_10.0.22000.71_none_67182c885b2b58e8\f\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-wimgapi.resources_31bf3856ad364e35_10.0.22000.1_en-us_79efdbfef9ac0434\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\Migration\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-fsd_31bf3856ad364e35_10.0.22000.318_none_a3112576e113d69e\r\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..formers-shell-extra_31bf3856ad364e35_10.0.22000.469_none_e551c620026f55e3\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..erprisesn.resources_31bf3856ad364e35_10.0.22000.493_it-it_042fef122ba66b0c\f\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-n..-security.resources_31bf3856ad364e35_10.0.22000.258_sv-se_2e9e915b120028c8\f\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..windowmanager-redir_31bf3856ad364e35_10.0.22000.132_none_2c63a6cce8abd4fb\f\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-k..eo-capture-plug-ins_31bf3856ad364e35_10.0.22000.1_none_4bae3a1f4561b94e\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-media-devices_31bf3856ad364e35_10.0.22000.348_none_81139a8c98faf909\f\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\x86_netfx-aspnet_config_b03f5f7f11d50a3a_10.0.22000.1_none_6db0f3463af99282\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..erprisesn.resources_31bf3856ad364e35_10.0.22000.493_cs-cz_342eda8c7a812129\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..riseseval.resources_31bf3856ad364e35_10.0.22000.493_zh-tw_26fdc6e7ce67066d\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\enterpriseNgcEnrollment\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_10.0.22000.1_nb-no_73da079222880ac8\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-errorreportingcore_31bf3856ad364e35_10.0.22000.1_none_810efa0e3f0e1154\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-rpc-http_31bf3856ad364e35_10.0.22000.1_none_009134e8787dbf19\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..olicy-snapin-native_31bf3856ad364e35_10.0.22000.100_none_3ae65740b4fd1a27\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-provisioning-platform_31bf3856ad364e35_10.0.22000.1_none_cb20c829bd1c95e8\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-wordbreaker7-mswb7_31bf3856ad364e35_10.0.22000.1_none_3a8eaacaae101f3d\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..n-desktop.resources_31bf3856ad364e35_10.0.22000.160_tr-tr_c34cd62192cdf941\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.22000.184_sk-sk_6acd231259f1a63b\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-lsa.resources_31bf3856ad364e35_10.0.22000.434_en-us_82063c1e1bcd4fb1\f\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-u..fyiconexe.resources_31bf3856ad364e35_10.0.22000.1_en-us_aa950c8831589e2c\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\r\webapps\guidedsetup\network\area-content\mr-IN\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..k-library.resources_31bf3856ad364e35_10.0.22000.120_da-dk_0c0acf97d01ce2c6\f\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..k-library.resources_31bf3856ad364e35_10.0.22000.120_pt-pt_b4a540bd2cf4b0a0\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Local\Desktop\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-filehistory-adm_31bf3856ad364e35_10.0.22000.1_none_5ff78103bbe0a897\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-m..sql-netlibs-winsock_31bf3856ad364e35_10.0.22000.1_none_045d3cf6a9f4e7b1\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_wpf-presentationhostdll_31bf3856ad364e35_10.0.22000.1_none_c64f0adf24c84f37\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.22000.493_ar-sa_5aa1ce51764cf4e1\f\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.22000.493_hr-hr_270d4df27aae2c06\f\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\wow64_microsoft-windows-a..-messagingdatamodel_31bf3856ad364e35_10.0.22000.65_none_76e58ed6e399cb65\f\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-container-manager_31bf3856ad364e35_10.0.22000.318_none_8e5804ec62c5891c\f\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-n..tcmdtools.resources_31bf3856ad364e35_10.0.22000.1_en-us_3373e078c42383e3\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\msil_microsoft.powershel..ommands.diagnostics_31bf3856ad364e35_1.0.0.0_none_1ad99b7886d3621f\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_10.0.22000.493_zh-tw_dd7e373b1e2e6e65\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_10.0.22000.194_none_e55b4ade61785172\f\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\amd64_netfx4-eventlogmessages_dll_b03f5f7f11d50a3a_4.0.15806.0_none_f28deb9e9542634d\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\WinSxS\wow64_microsoft-onecore-t..ngservice.resources_31bf3856ad364e35_10.0.22000.1_en-us_3eba59611fb483bd\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-wmadmod_31bf3856ad364e35_10.0.22000.120_none_81b41c1ba325914b\f\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Activities.Build\v4.0_4.0.0.0__31bf3856ad364e35\HOW_TO_DECRYPT.txt 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe -
Delays execution with timeout.exe 64 IoCs
pid Process 1680 timeout.exe 3152 timeout.exe 2744 timeout.exe 3948 timeout.exe 5480 timeout.exe 4044 timeout.exe 1956 timeout.exe 2576 timeout.exe 3496 timeout.exe 4140 timeout.exe 2936 timeout.exe 4976 timeout.exe 1644 timeout.exe 1848 timeout.exe 132 timeout.exe 3596 timeout.exe 3956 timeout.exe 1448 timeout.exe 5716 timeout.exe 3720 timeout.exe 4740 timeout.exe 760 timeout.exe 5468 timeout.exe 2772 timeout.exe 1840 timeout.exe 1648 timeout.exe 5988 timeout.exe 1140 timeout.exe 5716 timeout.exe 2916 timeout.exe 2120 timeout.exe 348 timeout.exe 1556 timeout.exe 5324 timeout.exe 4744 timeout.exe 5984 timeout.exe 1012 timeout.exe 3364 timeout.exe 4820 timeout.exe 4700 timeout.exe 1004 timeout.exe 1724 timeout.exe 4976 timeout.exe 892 timeout.exe 4756 timeout.exe 3792 timeout.exe 4896 timeout.exe 5260 timeout.exe 2532 timeout.exe 3108 timeout.exe 5592 timeout.exe 3600 timeout.exe 5960 timeout.exe 2304 timeout.exe 1560 timeout.exe 5480 timeout.exe 3656 timeout.exe 4216 timeout.exe 4816 timeout.exe 2932 timeout.exe 2908 timeout.exe 3128 timeout.exe 904 timeout.exe 5896 timeout.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3637012076-1497690007-2831451688-1000\{1B0DFF04-2EDB-495D-BB8C-701C4631D8C7} explorer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5744 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe 5744 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeShutdownPrivilege 3644 explorer.exe Token: SeCreatePagefilePrivilege 3644 explorer.exe Token: SeShutdownPrivilege 3644 explorer.exe Token: SeCreatePagefilePrivilege 3644 explorer.exe Token: SeShutdownPrivilege 3644 explorer.exe Token: SeCreatePagefilePrivilege 3644 explorer.exe Token: SeShutdownPrivilege 3644 explorer.exe Token: SeCreatePagefilePrivilege 3644 explorer.exe Token: SeShutdownPrivilege 3644 explorer.exe Token: SeCreatePagefilePrivilege 3644 explorer.exe Token: SeShutdownPrivilege 3644 explorer.exe Token: SeCreatePagefilePrivilege 3644 explorer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3644 explorer.exe 3644 explorer.exe -
Suspicious use of SendNotifyMessage 8 IoCs
pid Process 3644 explorer.exe 3644 explorer.exe 3644 explorer.exe 3644 explorer.exe 3644 explorer.exe 3644 explorer.exe 3644 explorer.exe 3644 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5744 wrote to memory of 3040 5744 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe 78 PID 5744 wrote to memory of 3040 5744 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe 78 PID 5744 wrote to memory of 3040 5744 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe 78 PID 5744 wrote to memory of 5316 5744 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe 79 PID 5744 wrote to memory of 5316 5744 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe 79 PID 5744 wrote to memory of 5316 5744 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe 79 PID 3040 wrote to memory of 1448 3040 cmd.exe 82 PID 3040 wrote to memory of 1448 3040 cmd.exe 82 PID 3040 wrote to memory of 1448 3040 cmd.exe 82 PID 3040 wrote to memory of 3108 3040 cmd.exe 83 PID 3040 wrote to memory of 3108 3040 cmd.exe 83 PID 3040 wrote to memory of 3108 3040 cmd.exe 83 PID 3040 wrote to memory of 5048 3040 cmd.exe 84 PID 3040 wrote to memory of 5048 3040 cmd.exe 84 PID 3040 wrote to memory of 5048 3040 cmd.exe 84 PID 3040 wrote to memory of 5792 3040 cmd.exe 85 PID 3040 wrote to memory of 5792 3040 cmd.exe 85 PID 3040 wrote to memory of 5792 3040 cmd.exe 85 PID 3040 wrote to memory of 3352 3040 cmd.exe 86 PID 3040 wrote to memory of 3352 3040 cmd.exe 86 PID 3040 wrote to memory of 3352 3040 cmd.exe 86 PID 3040 wrote to memory of 4744 3040 cmd.exe 87 PID 3040 wrote to memory of 4744 3040 cmd.exe 87 PID 3040 wrote to memory of 4744 3040 cmd.exe 87 PID 3040 wrote to memory of 4976 3040 cmd.exe 88 PID 3040 wrote to memory of 4976 3040 cmd.exe 88 PID 3040 wrote to memory of 4976 3040 cmd.exe 88 PID 3040 wrote to memory of 1548 3040 cmd.exe 89 PID 3040 wrote to memory of 1548 3040 cmd.exe 89 PID 3040 wrote to memory of 1548 3040 cmd.exe 89 PID 3040 wrote to memory of 5960 3040 cmd.exe 90 PID 3040 wrote to memory of 5960 3040 cmd.exe 90 PID 3040 wrote to memory of 5960 3040 cmd.exe 90 PID 3040 wrote to memory of 232 3040 cmd.exe 91 PID 3040 wrote to memory of 232 3040 cmd.exe 91 PID 3040 wrote to memory of 232 3040 cmd.exe 91 PID 3040 wrote to memory of 1984 3040 cmd.exe 92 PID 3040 wrote to memory of 1984 3040 cmd.exe 92 PID 3040 wrote to memory of 1984 3040 cmd.exe 92 PID 3040 wrote to memory of 4616 3040 cmd.exe 93 PID 3040 wrote to memory of 4616 3040 cmd.exe 93 PID 3040 wrote to memory of 4616 3040 cmd.exe 93 PID 3040 wrote to memory of 2932 3040 cmd.exe 94 PID 3040 wrote to memory of 2932 3040 cmd.exe 94 PID 3040 wrote to memory of 2932 3040 cmd.exe 94 PID 3040 wrote to memory of 2304 3040 cmd.exe 95 PID 3040 wrote to memory of 2304 3040 cmd.exe 95 PID 3040 wrote to memory of 2304 3040 cmd.exe 95 PID 3040 wrote to memory of 2908 3040 cmd.exe 96 PID 3040 wrote to memory of 2908 3040 cmd.exe 96 PID 3040 wrote to memory of 2908 3040 cmd.exe 96 PID 3040 wrote to memory of 5984 3040 cmd.exe 97 PID 3040 wrote to memory of 5984 3040 cmd.exe 97 PID 3040 wrote to memory of 5984 3040 cmd.exe 97 PID 3040 wrote to memory of 5808 3040 cmd.exe 98 PID 3040 wrote to memory of 5808 3040 cmd.exe 98 PID 3040 wrote to memory of 5808 3040 cmd.exe 98 PID 3040 wrote to memory of 132 3040 cmd.exe 99 PID 3040 wrote to memory of 132 3040 cmd.exe 99 PID 3040 wrote to memory of 132 3040 cmd.exe 99 PID 3040 wrote to memory of 128 3040 cmd.exe 100 PID 3040 wrote to memory of 128 3040 cmd.exe 100 PID 3040 wrote to memory of 128 3040 cmd.exe 100 PID 3040 wrote to memory of 4224 3040 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe"C:\Users\Admin\AppData\Local\Temp\88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1.exe"1⤵
- Drops file in Drivers directory
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5744 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hive.bat >NUL 2>NUL2⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1448
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3108
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:5048
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:5792
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3352
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4744
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4976
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1548
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:5960
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:232
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1984
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4616
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2932
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2304
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2908
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:5984
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:5808
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:132
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:128
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4224
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:5988
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4316
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:5372
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1840
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1760
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3128
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2368
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:5096
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3536
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2428
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2012
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:5488
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1536
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2744
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:5716
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1140
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4984
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:904
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3948
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4700
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:904
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2936
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:5480
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:5244
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:5896
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:760
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1560
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1004
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1008
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4976
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1828
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:5988
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4216
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2204
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2672
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4752
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1928
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4100
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:5464
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2120
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3792
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:5592
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:348
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4540
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1456
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3600
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4896
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4044
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:5716
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3720
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1956
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3864
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4964
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4932
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1724
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:5480
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:480
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3844
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4816
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:5492
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:656
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3796
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:5872
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2420
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2536
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1556
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2728
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:5596
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3444
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:5332
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2092
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1644
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:5268
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2316
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1680
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1012
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:5928
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3092
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:892
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1848
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:336
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2916
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:5468
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1648
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4740
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3596
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3396
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3364
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1392
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3496
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3584
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3636
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4204
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:5892
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:5260
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:6036
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2772
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4140
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4784
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3152
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2576
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4820
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3956
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3128
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4756
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3860
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4144
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2532
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3824
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:5324
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1896
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3656
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:5612
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3540
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2384
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:608
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shadow.bat >NUL 2>NUL2⤵PID:5316
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3644
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5a526b9e7c716b3489d8cc062fbce4005
SHA12df502a944ff721241be20a9e449d2acd07e0312
SHA256e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
-
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.F6MgNQjXQek376xd1mxc82eh8wedx8sZTxvt8wmwbUA.hive
Filesize624KB
MD56c4a10a9b9862868d575cb7e6759162d
SHA171b2939066f32f24dab0b01f68a51bfb683afa31
SHA2563250ac116340cc3a4f5eccdfb4b9782beda63e5bc342a689100ff23ae93469dc
SHA5127d2641758179e598a2da5bc9044437fe4c9832686ae0b21f3dd1d84462e32e91845f9a950d59ed7eed00a95bf4c63e1e2cb6d64b500b44f2fb9fbdebeac86094
-
Filesize
282B
MD599f01766121a7e6900bdb1e288445202
SHA169f701d12697cf5b023b573d7541d06a49957f3d
SHA256bcb1b2050f78a0f5c54c07bab95e56b7a680cbf307077f97c515fac56d5a9ad5
SHA5128acc52a90a7f71ad6930ec9de79d49b8306b7ba2f4b1f4dfb285f1a19d2742b6447fb0082bd3684e00e1e222931df1a02574438e84d8bdf3afda30d3fe23882b
-
Filesize
57B
MD5df5552357692e0cba5e69f8fbf06abb6
SHA14714f1e6bb75a80a8faf69434726d176b70d7bd8
SHA256d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8
SHA512a837555a1175ab515e2b43da9e493ff0ccd4366ee59defe6770327818ca9afa6f3e39ecdf5262b69253aa9e2692283ee8cebc97d58edd42e676977c7f73d143d
-
Filesize
1KB
MD580207d0f8ea42bdfeaf9f5c586230aca
SHA1747481fe2b0b6d81c3b19ba62d1e49eab6a5461f
SHA25625edefb3b0678dfe0d927ff48ce67254359ba379df9468f634d02c026f0e7131
SHA51273f68ce9e98d2346be1762bd54bb06ef83ae939dfbcf9b786d9b773fa454352613387d264b7a87a1c08950226553817bf01f5aa4107bc12de36a1689e2137304