Overview
overview
10Static
static
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
7Resubmissions
28-07-2024 16:38
240728-t5tryssgmm 1007-07-2024 14:07
240707-rfgd8atekm 1007-07-2024 14:07
240707-re689awdpe 1013-09-2022 17:54
220913-wg1lpsgbg7 10Analysis
-
max time kernel
143s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
28-07-2024 16:38
Static task
static1
Behavioral task
behavioral1
Sample
RansomwareSamples/Avaddon_09_06_2020_1054KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
RansomwareSamples/Avaddon_09_06_2020_1054KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
RansomwareSamples/Avos_18_07_2021_403KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
RansomwareSamples/Avos_18_07_2021_403KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral5
Sample
RansomwareSamples/Babik_04_01_2021_31KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
RansomwareSamples/Babik_04_01_2021_31KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
RansomwareSamples/Babuk_20_04_2021_79KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral8
Sample
RansomwareSamples/Babuk_20_04_2021_79KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral11
Sample
RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral13
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral15
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral17
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral19
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral21
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral22
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral23
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral24
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral25
Sample
RansomwareSamples/Hades_29_03_2021_1909KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral26
Sample
RansomwareSamples/Hades_29_03_2021_1909KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral27
Sample
RansomwareSamples/Hive_17_07_2021_808KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral28
Sample
RansomwareSamples/Hive_17_07_2021_808KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral29
Sample
RansomwareSamples/LockBit_14_02_2021_146KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
RansomwareSamples/LockBit_14_02_2021_146KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral31
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral32
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win10v2004-20240709-en
General
-
Target
RansomwareSamples/Hive_17_07_2021_808KB.exe
-
Size
808KB
-
MD5
504bd1695de326bc533fde29b8a69319
-
SHA1
67f0c8d81aefcfc5943b31d695972194ac15e9f2
-
SHA256
a0b4e3d7e4cd20d25ad2f92be954b95eea44f8f1944118a3194295c5677db749
-
SHA512
18c5b28bafb13edf47f6a2b803d9d9a914945f037b266a765f2a324842c5ef04ebda27eba31851d2d63e00779a42900e0edfe4ad5bd817eb4f43fa4d4e3a4767
-
SSDEEP
24576:lafTGwLNdRk4RBtr/ioF4/I+CMx3cMt3/4KFG8Qz4YwY:IT7dRFr/ioFjicMtvV4z
Malware Config
Extracted
C:\$Recycle.Bin\HOW_TO_DECRYPT.txt
hive
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
Signatures
-
Detects Go variant of Hive Ransomware 15 IoCs
resource yara_rule behavioral27/memory/760-1-0x00000000001F0000-0x00000000004C9000-memory.dmp hive_go behavioral27/memory/760-42-0x00000000001F0000-0x00000000004C9000-memory.dmp hive_go behavioral27/memory/760-272-0x00000000001F0000-0x00000000004C9000-memory.dmp hive_go behavioral27/memory/760-944-0x00000000001F0000-0x00000000004C9000-memory.dmp hive_go behavioral27/memory/760-1876-0x00000000001F0000-0x00000000004C9000-memory.dmp hive_go behavioral27/memory/760-2807-0x00000000001F0000-0x00000000004C9000-memory.dmp hive_go behavioral27/memory/760-3547-0x00000000001F0000-0x00000000004C9000-memory.dmp hive_go behavioral27/memory/760-3931-0x00000000001F0000-0x00000000004C9000-memory.dmp hive_go behavioral27/memory/760-4303-0x00000000001F0000-0x00000000004C9000-memory.dmp hive_go behavioral27/memory/760-4304-0x00000000001F0000-0x00000000004C9000-memory.dmp hive_go behavioral27/memory/760-4305-0x00000000001F0000-0x00000000004C9000-memory.dmp hive_go behavioral27/memory/760-4306-0x00000000001F0000-0x00000000004C9000-memory.dmp hive_go behavioral27/memory/760-4873-0x00000000001F0000-0x00000000004C9000-memory.dmp hive_go behavioral27/memory/760-8793-0x00000000001F0000-0x00000000004C9000-memory.dmp hive_go behavioral27/memory/760-10792-0x00000000001F0000-0x00000000004C9000-memory.dmp hive_go -
Hive
A ransomware written in Golang first seen in June 2021.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops file in Drivers directory 29 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\UMDF\es-ES\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\drivers\UMDF\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\SysWOW64\drivers\UMDF\fr-FR\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\SysWOW64\drivers\UMDF\it-IT\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\drivers\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\SysWOW64\drivers\de-DE\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\drivers\UMDF\de-DE\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\drivers\etc\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\SysWOW64\drivers\UMDF\de-DE\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\SysWOW64\drivers\it-IT\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\drivers\UMDF\es-ES\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\drivers\en-US\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\drivers\UMDF\ja-JP\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\drivers\it-IT\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\SysWOW64\drivers\es-ES\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\SysWOW64\drivers\fr-FR\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\SysWOW64\drivers\ja-JP\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\SysWOW64\drivers\UMDF\ja-JP\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\drivers\UMDF\it-IT\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\drivers\ja-JP\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\drivers\UMDF\fr-FR\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\drivers\de-DE\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\drivers\es-ES\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\drivers\fr-FR\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe -
Boot or Logon Autostart Execution: Print Processors 1 TTPs 7 IoCs
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
description ioc Process File created C:\Windows\System32\spool\prtprocs\x64\ja-JP\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\spool\prtprocs\x64\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\spool\prtprocs\x64\de-DE\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\spool\prtprocs\x64\en-US\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\spool\prtprocs\x64\es-ES\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\spool\prtprocs\x64\fr-FR\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\spool\prtprocs\x64\it-IT\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.2bFe2RNXl41EgVSI0NCD79mtp4bWMw5hTIxI97N3WUM.hive Hive_17_07_2021_808KB.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral27/memory/760-0-0x00000000001F0000-0x00000000004C9000-memory.dmp upx behavioral27/memory/760-1-0x00000000001F0000-0x00000000004C9000-memory.dmp upx behavioral27/memory/760-42-0x00000000001F0000-0x00000000004C9000-memory.dmp upx behavioral27/memory/760-272-0x00000000001F0000-0x00000000004C9000-memory.dmp upx behavioral27/memory/760-944-0x00000000001F0000-0x00000000004C9000-memory.dmp upx behavioral27/memory/760-1876-0x00000000001F0000-0x00000000004C9000-memory.dmp upx behavioral27/memory/760-2807-0x00000000001F0000-0x00000000004C9000-memory.dmp upx behavioral27/memory/760-3547-0x00000000001F0000-0x00000000004C9000-memory.dmp upx behavioral27/memory/760-3931-0x00000000001F0000-0x00000000004C9000-memory.dmp upx behavioral27/memory/760-4303-0x00000000001F0000-0x00000000004C9000-memory.dmp upx behavioral27/memory/760-4304-0x00000000001F0000-0x00000000004C9000-memory.dmp upx behavioral27/memory/760-4305-0x00000000001F0000-0x00000000004C9000-memory.dmp upx behavioral27/memory/760-4306-0x00000000001F0000-0x00000000004C9000-memory.dmp upx behavioral27/memory/760-4873-0x00000000001F0000-0x00000000004C9000-memory.dmp upx behavioral27/memory/760-8793-0x00000000001F0000-0x00000000004C9000-memory.dmp upx behavioral27/memory/760-10792-0x00000000001F0000-0x00000000004C9000-memory.dmp upx -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Public\Videos\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Admin\Documents\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TWVGEE8A\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Public\Music\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Public\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Admin\Searches\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CGY9ZAGI\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U42VY3XA\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Public\Downloads\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI Hive_17_07_2021_808KB.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Admin\Music\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4NH6FMWO\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VUPQHL12\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Admin\Links\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Public\Desktop\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Public\Documents\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\OORJZY5Z\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini Hive_17_07_2021_808KB.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini Hive_17_07_2021_808KB.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\System32\en-US\Licenses\eval\HomePremium\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\ja-JP\Licenses\OEM\StarterE\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\SysWOW64\de-DE\Licenses\_Default\Starter\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\SysWOW64\sysprep\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\DriverStore\FileRepository\elxstor.inf_amd64_neutral_4263942b9dfe9077\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\DriverStore\FileRepository\lsi_fc.inf_amd64_neutral_a7088f3644ca646a\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\DriverStore\FileRepository\prnep003.inf_amd64_neutral_92ed2d842e0dd4ea\Amd64\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\Printing_Admin_Scripts\es-ES\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\SysWOW64\en-US\Licenses\eval\HomeBasicE\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\Tasks\Microsoft\Windows\Defrag\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\SysWOW64\es-ES\Licenses\_Default\HomePremiumN\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx00e.inf_amd64_neutral_0a4797d9b127d3a7\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\es-ES\Licenses\eval\HomeBasicN\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\spp\tokens\channels\OCUR\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\SysWOW64\es-ES\Licenses\_Default\ProfessionalN\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\DriverStore\FileRepository\prnep00d.inf_amd64_neutral_dd61103f3a2743d4\Amd64\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\DriverStore\FileRepository\prnnr002.inf_amd64_neutral_37896c5e81c8d488\Amd64\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\SMI\Schema\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\Tasks\Microsoft\Windows\Power Efficiency Diagnostics\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\es-ES\Licenses\eval\Ultimate\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\SysWOW64\it-IT\Licenses\_Default\Professional\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmetech.inf_amd64_neutral_230358eeb58f0b3b\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmmcd.inf_amd64_neutral_49212f5920298e45\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\en-US\Licenses\OEM\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\SysWOW64\de-DE\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\0411\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmarch.inf_amd64_neutral_4261401e3170ebfb\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\DriverStore\FileRepository\prnxx002.inf_amd64_neutral_560fdd891b24f384\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\DriverStore\FileRepository\wialx004.inf_amd64_neutral_0a3a62ae6ed43127\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\DriverStore\FileRepository\ws3cap.inf_amd64_neutral_eeaccb8f1560f5fb\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-NetworkLoadBalancing-Core\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\it-IT\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\SysWOW64\es-ES\Licenses\_Default\Enterprise\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\DriverStore\FileRepository\hpoa1nd.inf_amd64_neutral_cf39c48277e038de\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\de-DE\Licenses\OEM\ProfessionalN\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\pl-PL\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\SysWOW64\de\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-windows-ndis\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\DriverStore\ja-JP\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\LogFiles\Fax\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\DriverStore\FileRepository\cxraptor_fm1236mk5_ibv64.inf_amd64_neutral_b81bec917adfaea5\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\it-IT\Licenses\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\DriverStore\FileRepository\prnso002.inf_amd64_neutral_c3b7ce4e6f71641f\Amd64\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\de-DE\Licenses\_Default\HomePremium\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\wbem\Logs\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HomePremiumE\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\Microsoft\Protect\S-1-5-18\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\SMI\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\ja-JP\Licenses\OEM\ProfessionalN\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\SysWOW64\en-US\Licenses\_Default\Ultimate\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\SysWOW64\es-ES\Licenses\eval\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx00w.inf_amd64_neutral_d4c93bb2fbf75723\Amd64\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\LogFiles\Fax\Incoming\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\OEM\EnterpriseN\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\DriverStore\FileRepository\prnts003.inf_amd64_neutral_33a68664c7e7ae4b\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\de-DE\Licenses\OEM\ProfessionalE\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\fr-FR\Licenses\OEM\HomePremium\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\migwiz\replacementmanifests\WindowsSearchEngine\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\SysWOW64\it-IT\Licenses\OEM\HomePremiumN\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\DriverStore\FileRepository\ts_generic.inf_amd64_neutral_1a5c861fdb3aab0e\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\Setup\en-US\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\System32\winrm\0C0A\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\larrow.gif Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.properties Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_ja_4.4.0.v20140623020002.jar Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Rothera.2bFe2RNXl41EgVSI0NCD70GP5cOBwBdJuW580hA-2Vo.hive Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar.2bFe2RNXl41EgVSI0NCD78oP2MmmoJJdQji997Mgok8.hive Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187863.WMF Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN011.XML Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN048.XML Hive_17_07_2021_808KB.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-2 Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSLID.DLL Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_standard_plugin.dll.2bFe2RNXl41EgVSI0NCD7xkiSyCU1ScgKS0pFyu_um4.hive Hive_17_07_2021_808KB.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\settings.html Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01237_.GIF Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN022.XML Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_ca.dll.2bFe2RNXl41EgVSI0NCD7wvCobrLKWhf2w-HM8r4bUs.hive Hive_17_07_2021_808KB.exe File created C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Kabul Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.Speech.resources.dll Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_plugin.dll Hive_17_07_2021_808KB.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Khandyga.2bFe2RNXl41EgVSI0NCD7796YB0cEIkZE1e0ETZVTnM.hive Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Entity.Design.Resources.dll Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\flyout.css Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml.2bFe2RNXl41EgVSI0NCD76S1cWGVPlodmooWj50QGCs.hive Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Ceuta.2bFe2RNXl41EgVSI0NCD73k8tJvkjocOZFPmdmKa_VM.hive Hive_17_07_2021_808KB.exe File created C:\Program Files\Common Files\Microsoft Shared\VGX\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Warsaw Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\vlc.mo Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Buenos_Aires Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Vancouver.2bFe2RNXl41EgVSI0NCD77yOdKtCVsxDEjPe1eDUkxg.hive Hive_17_07_2021_808KB.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_10_p010_plugin.dll Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\background.gif Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OISGRAPH.DLL Hive_17_07_2021_808KB.exe File created C:\Program Files\Windows NT\TableTextService\en-US\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL081.XML Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe.2bFe2RNXl41EgVSI0NCD775SzVPF-wkk8ebqOL-eiUs.hive Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178459.JPG Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315580.JPG Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Boise.2bFe2RNXl41EgVSI0NCD70MYSwJwaNsVo_aPuISJXyQ.hive Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\TAB_ON.GIF Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh87.2bFe2RNXl41EgVSI0NCD77GB3T9BMkka3AYItwybdSU.hive Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-left.png Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\RSSFeeds.html Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_zh_4.4.0.v20140623020002.jar.2bFe2RNXl41EgVSI0NCD79z0a_HYFy0Z2qW31I2ayVg.hive Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\background.gif Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Apia Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105246.WMF Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Java\jre7\lib\javaws.jar.2bFe2RNXl41EgVSI0NCD787SOSDduxMSY-ODBH1GVU4.hive Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Amsterdam Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.jpg Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01182_.WMF Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0149407.WMF Hive_17_07_2021_808KB.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Belize.2bFe2RNXl41EgVSI0NCD70cbcmWKSv95Fbwb9O0qNGc.hive Hive_17_07_2021_808KB.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Globalization\MCT\MCT-ZA\RSSFeed\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\assembly\GAC_32\System.Transactions\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\assembly\GAC_MSIL\System.IO.Log\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\assembly\GAC_MSIL\System.Web.Extensions.Design.resources\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\assembly\GAC_MSIL\ehexthost\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\Globalization\ELS\Transliteration\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\Resources\Themes\Aero\Shell\NormalColor\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\assembly\GAC_32\mcstoredb\6.1.0.0__31bf3856ad364e35\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\assembly\GAC_MSIL\System.Core.resources\3.5.0.0_es_b77a5c561934e089\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\Help\mui\0C0A\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Instrumentation\v4.0_4.0.0.0__b77a5c561934e089\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\Speech\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks.resources\2.0.0.0_it_b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\IME\IMEJP10\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\Media\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\assembly\GAC_MSIL\System.Web.Extensions.Design.resources\3.5.0.0_es_31bf3856ad364e35\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\Boot\PCAT\zh-CN\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\Help\Windows\de-DE\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1046\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Reflection.Primitives\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\Resources\Themes\Aero\Shell\NormalColor\fr-FR\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.Resources\1.0.0.0_de_31bf3856ad364e35\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\assembly\GAC_MSIL\PresentationBuildTasks.resources\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\Branding\Basebrd\de-DE\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\assembly\GAC_MSIL\System.Workflow.Activities\3.0.0.0__31bf3856ad364e35\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\assembly\GAC_MSIL\System.Data.DataSetExtensions\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\it-IT\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\EN\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1032\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Editor.Resources\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\assembly\GAC_MSIL\System.Web.Routing.resources\3.5.0.0_de_31bf3856ad364e35\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\CSC\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\assembly\GAC_64\System.Printing\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\assembly\GAC_MSIL\System.Web.Abstractions\3.5.0.0__31bf3856ad364e35\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\assembly\GAC_MSIL\System.Web.Services.resources\2.0.0.0_de_b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\Globalization\MCT\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\Fonts\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\Globalization\MCT\MCT-ZA\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\assembly\GAC_64\System.EnterpriseServices\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\assembly\GAC_MSIL\system.management.resources\2.0.0.0_de_b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\Panther\setup.exe\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessData.Intl\14.0.0.0__71e9bce111e9429c\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\assembly\GAC_MSIL\System.resources\2.0.0.0_ja_b77a5c561934e089\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\Microsoft.NET\Framework64\v3.5\es\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\MUI\040C\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.CompilerServices.VisualC\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks.resources\2.0.0.0_fr_b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\assembly\GAC_MSIL\System.Data.Services.Design\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\assembly\GAC_MSIL\System.Windows.Presentation.resources\3.5.0.0_ja_b77a5c561934e089\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\LiveKernelReports\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\Boot\EFI\cs-CZ\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.DurableInstancing\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.OneNote\12.0.0.0__71e9bce111e9429c\HOW_TO_DECRYPT.txt Hive_17_07_2021_808KB.exe -
Delays execution with timeout.exe 64 IoCs
pid Process 2428 timeout.exe 2436 timeout.exe 2156 timeout.exe 1696 timeout.exe 880 timeout.exe 2184 timeout.exe 1092 timeout.exe 2336 timeout.exe 2024 timeout.exe 2868 timeout.exe 2972 timeout.exe 3036 timeout.exe 2860 timeout.exe 1916 timeout.exe 1352 timeout.exe 1452 timeout.exe 1232 timeout.exe 804 timeout.exe 2364 timeout.exe 1544 timeout.exe 2688 timeout.exe 2632 timeout.exe 1284 timeout.exe 636 timeout.exe 1720 timeout.exe 108 timeout.exe 1372 timeout.exe 1712 timeout.exe 556 timeout.exe 3056 timeout.exe 3032 timeout.exe 2272 timeout.exe 2612 timeout.exe 2124 timeout.exe 2608 timeout.exe 1036 timeout.exe 2704 timeout.exe 2908 timeout.exe 1696 timeout.exe 1720 timeout.exe 1420 timeout.exe 2752 timeout.exe 2572 timeout.exe 2012 timeout.exe 2828 timeout.exe 2652 timeout.exe 856 timeout.exe 1988 timeout.exe 856 timeout.exe 2132 timeout.exe 2096 timeout.exe 1664 timeout.exe 2960 timeout.exe 2924 timeout.exe 2916 timeout.exe 2112 timeout.exe 2888 timeout.exe 940 timeout.exe 2288 timeout.exe 2440 timeout.exe 2264 timeout.exe 768 timeout.exe 1052 timeout.exe 924 timeout.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2768 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 760 Hive_17_07_2021_808KB.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 2800 vssvc.exe Token: SeRestorePrivilege 2800 vssvc.exe Token: SeAuditPrivilege 2800 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 760 wrote to memory of 2120 760 Hive_17_07_2021_808KB.exe 30 PID 760 wrote to memory of 2120 760 Hive_17_07_2021_808KB.exe 30 PID 760 wrote to memory of 2120 760 Hive_17_07_2021_808KB.exe 30 PID 760 wrote to memory of 2736 760 Hive_17_07_2021_808KB.exe 31 PID 760 wrote to memory of 2736 760 Hive_17_07_2021_808KB.exe 31 PID 760 wrote to memory of 2736 760 Hive_17_07_2021_808KB.exe 31 PID 2120 wrote to memory of 2752 2120 cmd.exe 32 PID 2120 wrote to memory of 2752 2120 cmd.exe 32 PID 2120 wrote to memory of 2752 2120 cmd.exe 32 PID 2736 wrote to memory of 2768 2736 cmd.exe 33 PID 2736 wrote to memory of 2768 2736 cmd.exe 33 PID 2736 wrote to memory of 2768 2736 cmd.exe 33 PID 2120 wrote to memory of 2968 2120 cmd.exe 36 PID 2120 wrote to memory of 2968 2120 cmd.exe 36 PID 2120 wrote to memory of 2968 2120 cmd.exe 36 PID 2120 wrote to memory of 2144 2120 cmd.exe 37 PID 2120 wrote to memory of 2144 2120 cmd.exe 37 PID 2120 wrote to memory of 2144 2120 cmd.exe 37 PID 2120 wrote to memory of 2088 2120 cmd.exe 38 PID 2120 wrote to memory of 2088 2120 cmd.exe 38 PID 2120 wrote to memory of 2088 2120 cmd.exe 38 PID 2120 wrote to memory of 2156 2120 cmd.exe 39 PID 2120 wrote to memory of 2156 2120 cmd.exe 39 PID 2120 wrote to memory of 2156 2120 cmd.exe 39 PID 2120 wrote to memory of 2024 2120 cmd.exe 40 PID 2120 wrote to memory of 2024 2120 cmd.exe 40 PID 2120 wrote to memory of 2024 2120 cmd.exe 40 PID 2120 wrote to memory of 1692 2120 cmd.exe 41 PID 2120 wrote to memory of 1692 2120 cmd.exe 41 PID 2120 wrote to memory of 1692 2120 cmd.exe 41 PID 2120 wrote to memory of 2572 2120 cmd.exe 42 PID 2120 wrote to memory of 2572 2120 cmd.exe 42 PID 2120 wrote to memory of 2572 2120 cmd.exe 42 PID 2120 wrote to memory of 1052 2120 cmd.exe 43 PID 2120 wrote to memory of 1052 2120 cmd.exe 43 PID 2120 wrote to memory of 1052 2120 cmd.exe 43 PID 2120 wrote to memory of 2180 2120 cmd.exe 44 PID 2120 wrote to memory of 2180 2120 cmd.exe 44 PID 2120 wrote to memory of 2180 2120 cmd.exe 44 PID 2120 wrote to memory of 324 2120 cmd.exe 45 PID 2120 wrote to memory of 324 2120 cmd.exe 45 PID 2120 wrote to memory of 324 2120 cmd.exe 45 PID 2120 wrote to memory of 2288 2120 cmd.exe 46 PID 2120 wrote to memory of 2288 2120 cmd.exe 46 PID 2120 wrote to memory of 2288 2120 cmd.exe 46 PID 2120 wrote to memory of 2888 2120 cmd.exe 47 PID 2120 wrote to memory of 2888 2120 cmd.exe 47 PID 2120 wrote to memory of 2888 2120 cmd.exe 47 PID 2120 wrote to memory of 2552 2120 cmd.exe 48 PID 2120 wrote to memory of 2552 2120 cmd.exe 48 PID 2120 wrote to memory of 2552 2120 cmd.exe 48 PID 2120 wrote to memory of 2988 2120 cmd.exe 49 PID 2120 wrote to memory of 2988 2120 cmd.exe 49 PID 2120 wrote to memory of 2988 2120 cmd.exe 49 PID 2120 wrote to memory of 1296 2120 cmd.exe 50 PID 2120 wrote to memory of 1296 2120 cmd.exe 50 PID 2120 wrote to memory of 1296 2120 cmd.exe 50 PID 2120 wrote to memory of 212 2120 cmd.exe 51 PID 2120 wrote to memory of 212 2120 cmd.exe 51 PID 2120 wrote to memory of 212 2120 cmd.exe 51 PID 2120 wrote to memory of 1452 2120 cmd.exe 52 PID 2120 wrote to memory of 1452 2120 cmd.exe 52 PID 2120 wrote to memory of 1452 2120 cmd.exe 52 PID 2120 wrote to memory of 2972 2120 cmd.exe 53 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe"1⤵
- Drops file in Drivers directory
- Boot or Logon Autostart Execution: Print Processors
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\system32\cmd.execmd /c hive.bat >NUL 2>NUL2⤵
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2752
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2968
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2144
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2088
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2156
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2024
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:1692
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2572
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1052
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2180
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:324
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2288
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2888
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2552
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2988
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:1296
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:212
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:1452
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2972
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2288
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1036
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2440
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3032
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2288
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2012
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:940
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:840
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2828
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:1036
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2652
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:1620
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2896
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1544
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:1760
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:856
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2912
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1352
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2668
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1696
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2500
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2828
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2868
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:924
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2272
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2608
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1232
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:1616
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:920
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2688
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2972
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:1724
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:3056
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1452
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:1816
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:1288
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1720
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:804
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3036
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:1920
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2612
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:1708
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:880
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2712
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2704
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2184
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2924
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:552
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2860
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1988
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2084
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:1288
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:1336
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:856
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2900
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1720
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1916
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2352
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1092
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2472
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2132
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2124
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2364
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:3020
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2916
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2508
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2608
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2336
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2112
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2056
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:204
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:224
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2692
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:992
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2428
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2520
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2632
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:1784
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2140
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:1676
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2772
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:604
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:108
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1372
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:1652
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1284
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:1232
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2436
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:1584
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:3036
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2868
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2096
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:108
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:552
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1712
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2964
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2552
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:940
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1420
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:1284
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2264
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2908
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:636
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:556
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1664
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3056
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2168
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:1972
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:768
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1696
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2924
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2156
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:1544
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2576
-
-
C:\Windows\system32\timeout.exetimeout 13⤵PID:2184
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2960
-
-
-
C:\Windows\system32\cmd.execmd /c shadow.bat >NUL 2>NUL2⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2768
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ee4ad142674725d6d9b58c9c3bb836dc
SHA1ac9bac37131c72a549d2bf3fbd233061906d5fab
SHA256fc1f1ed6a6692d18788de47420ead7e8a1b534b015db69a39052a0a2fc30c776
SHA512a34c547d13880b578703f52b7d3d61b1893536966204d80a9e0f60aee8851bd9f70e3d0ceb1601aa11901c6315f57128c49f2000cc4fcbc67ed92e4628e45da3
-
Filesize
129B
MD52adc92efc54016e58eabc4fa55f131b1
SHA1ffd5c3a7904ae370886a98330cc5675b99ee2c3f
SHA2569bda481b38e6f4f1063bceda964fd68f1ffd7683c192de8d0755965791d8e27f
SHA5127f0de144ea93cfae002ed5adb4efb3b7e57f6526cffd055b676130c832e44b27c1889df9c928ab8029cd14876dfdec884e417f8ffab8e1ac6d1e091a55aa9bbc
-
Filesize
232B
MD56358d970c3edccb57eae7dbf9f42d58f
SHA125b994c3b5604f4f67e1ac6250bc2f14ce690380
SHA2569e36401051e677f69a82ab8fbdebd6b16210ee40612c8c7fa45ceb5d7757fe50
SHA51244819fec7e90b903eece750d0a2de531520ed9e637e17e4a57786f9a61c6d4b95ff6072fc3530a9d35d8dc756bcfe20f80a6a07a72d35cf24b305053ae389131
-
Filesize
57B
MD5df5552357692e0cba5e69f8fbf06abb6
SHA14714f1e6bb75a80a8faf69434726d176b70d7bd8
SHA256d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8
SHA512a837555a1175ab515e2b43da9e493ff0ccd4366ee59defe6770327818ca9afa6f3e39ecdf5262b69253aa9e2692283ee8cebc97d58edd42e676977c7f73d143d