hive | 88d3e05c1207189ee80f554e7462ca58a69c1c19657aa977904f7ce0047e5505

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-02-2025 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
Size

4.8MB
MD5

82a36fb2b9eaf1d539bd1f47519d33f0
SHA1

0eecdc1b8ecd03fa8cad841e9a81497c025575a3
SHA256

88d3e05c1207189ee80f554e7462ca58a69c1c19657aa977904f7ce0047e5505
SHA512

6da93231bf189a1b9fe4e6e477d92714c709982548f9ce22e0d0a3dfeeefa06fe481539f01d60cd1e3849873e01c24b25e41d78117e6a9c1ec7343821344abcf
SSDEEP

49152:w2NiZPNNirb/T2vO90dL3BmAFd4A64nsfJk0NuXCdmTQb0/6VCrrPrsbg11VgWAG:w2ANB04yIa0hsirubOWx4+

Score

10^/10

hive defense_evasion discovery evasion execution impact ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Program Files\n8pw_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note

Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: fTP4dtHQ51ZX Password: 7zC1gVatfxGNUwxnLe4e To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key.cv2gj files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.

URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

defense_evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
3044	MpCmdRun.exe

Disables service(s) 3 TTPs
defense_evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Hive
A ransomware written in Golang first seen in June 2021.
ransomware hive
Hive family
hive

Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

defense_evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe

Clears Windows event logs 1 TTPs 3 IoCs

defense_evasion ransomware

Clear Windows Event Logs

T1070.001

pid	Process
1148	wevtutil.exe
1680	wevtutil.exe
2440	wevtutil.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1492	bcdedit.exe
1936	bcdedit.exe

Renames multiple (1901) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Renames multiple (5593) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2952	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1696	powershell.exe
2732	powershell.exe

Modifies Security services 2 TTPs 6 IoCs

Modifies the startup behavior of a security service.

defense_evasion

Modify Registry

T1112

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-oql_zh_CN.jar.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\WMPSideShowGadget.exe.mui	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Aspect.eftx.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\settings.html	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Common Files\System\ado\adojavas.inc	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_zh_4.4.0.v20140623020002.jar.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-progress.jar.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\bckgzm.exe.mui.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full.png	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\Real.mpp.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153307.WMF.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0197979.WMF.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InputPersonalization.exe.mui	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\HEADER.GIF.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\wmlaunch.exe.mui	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00076_.WMF.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00238_.WMF.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_IAAAACAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-windows.xml.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.zh_CN_5.5.0.165303.jar.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic_5.5.0.165303.jar.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\3.png	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\settings.html	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\IPSEventLogMsg.dll.mui	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-appui.xml.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-left.png	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.event_1.3.100.v20140115-1647.jar.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Galapagos.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\fr-FR\Mahjong.exe.mui.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_IAAAACAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIPMASK.BMP.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\n8pw_HOW_TO_DECRYPT.txt	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.properties.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_zh_CN.jar.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Java\jre7\lib\rt.jar.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0296288.WMF.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLLIBR.DLL.IDX_DLL.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWS98.POC.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Canary.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_IAAAACAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\DataSet.zip.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_IAAAACAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0233992.WMF.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WSSFilesToolIconImages.jpg.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter_partly-cloudy.png	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File created	C:\Program Files\Microsoft Games\Chess\es-ES\n8pw_HOW_TO_DECRYPT.txt	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Johannesburg.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EET.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.properties.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Lindeman.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.rst.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_IAAAACAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00170_.WMF.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\settings.js	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dili.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR24F.GIF.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE.MANIFEST.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBHOME.POC.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_IAAAACAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\n8pw_HOW_TO_DECRYPT.txt	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861261279.profile.gz.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_ring_docked.png	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2616	sc.exe
2100	sc.exe
2248	sc.exe
2744	sc.exe
2824	sc.exe
2588	sc.exe
2692	sc.exe
2620	sc.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2952	cmd.exe
2144	PING.EXE

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1684	vssadmin.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2984	notepad.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2144	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1696	powershell.exe
2732	powershell.exe
2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2440	wevtutil.exe
Token: SeBackupPrivilege	2440	wevtutil.exe
Token: SeSecurityPrivilege	1148	wevtutil.exe
Token: SeBackupPrivilege	1148	wevtutil.exe
Token: SeSecurityPrivilege	1680	wevtutil.exe
Token: SeBackupPrivilege	1680	wevtutil.exe
Token: SeIncreaseQuotaPrivilege	580	wmic.exe
Token: SeSecurityPrivilege	580	wmic.exe
Token: SeTakeOwnershipPrivilege	580	wmic.exe
Token: SeLoadDriverPrivilege	580	wmic.exe
Token: SeSystemProfilePrivilege	580	wmic.exe
Token: SeSystemtimePrivilege	580	wmic.exe
Token: SeProfSingleProcessPrivilege	580	wmic.exe
Token: SeIncBasePriorityPrivilege	580	wmic.exe
Token: SeCreatePagefilePrivilege	580	wmic.exe
Token: SeBackupPrivilege	580	wmic.exe
Token: SeRestorePrivilege	580	wmic.exe
Token: SeShutdownPrivilege	580	wmic.exe
Token: SeDebugPrivilege	580	wmic.exe
Token: SeSystemEnvironmentPrivilege	580	wmic.exe
Token: SeRemoteShutdownPrivilege	580	wmic.exe
Token: SeUndockPrivilege	580	wmic.exe
Token: SeManageVolumePrivilege	580	wmic.exe
Token: 33	580	wmic.exe
Token: 34	580	wmic.exe
Token: 35	580	wmic.exe
Token: SeIncreaseQuotaPrivilege	1780	wmic.exe
Token: SeSecurityPrivilege	1780	wmic.exe
Token: SeTakeOwnershipPrivilege	1780	wmic.exe
Token: SeLoadDriverPrivilege	1780	wmic.exe
Token: SeSystemProfilePrivilege	1780	wmic.exe
Token: SeSystemtimePrivilege	1780	wmic.exe
Token: SeProfSingleProcessPrivilege	1780	wmic.exe
Token: SeIncBasePriorityPrivilege	1780	wmic.exe
Token: SeCreatePagefilePrivilege	1780	wmic.exe
Token: SeBackupPrivilege	1780	wmic.exe
Token: SeRestorePrivilege	1780	wmic.exe
Token: SeShutdownPrivilege	1780	wmic.exe
Token: SeDebugPrivilege	1780	wmic.exe
Token: SeSystemEnvironmentPrivilege	1780	wmic.exe
Token: SeRemoteShutdownPrivilege	1780	wmic.exe
Token: SeUndockPrivilege	1780	wmic.exe
Token: SeManageVolumePrivilege	1780	wmic.exe
Token: 33	1780	wmic.exe
Token: 34	1780	wmic.exe
Token: 35	1780	wmic.exe
Token: SeIncreaseQuotaPrivilege	1780	wmic.exe
Token: SeSecurityPrivilege	1780	wmic.exe
Token: SeTakeOwnershipPrivilege	1780	wmic.exe
Token: SeLoadDriverPrivilege	1780	wmic.exe
Token: SeSystemProfilePrivilege	1780	wmic.exe
Token: SeSystemtimePrivilege	1780	wmic.exe
Token: SeProfSingleProcessPrivilege	1780	wmic.exe
Token: SeIncBasePriorityPrivilege	1780	wmic.exe
Token: SeCreatePagefilePrivilege	1780	wmic.exe
Token: SeBackupPrivilege	1780	wmic.exe
Token: SeRestorePrivilege	1780	wmic.exe
Token: SeShutdownPrivilege	1780	wmic.exe
Token: SeDebugPrivilege	1780	wmic.exe
Token: SeSystemEnvironmentPrivilege	1780	wmic.exe
Token: SeRemoteShutdownPrivilege	1780	wmic.exe
Token: SeUndockPrivilege	1780	wmic.exe
Token: SeManageVolumePrivilege	1780	wmic.exe
Token: 33	1780	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 1160	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	31
PID 2056 wrote to memory of 1160	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	31
PID 2056 wrote to memory of 1160	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	31
PID 1160 wrote to memory of 2464	1160	net.exe	33
PID 1160 wrote to memory of 2464	1160	net.exe	33
PID 1160 wrote to memory of 2464	1160	net.exe	33
PID 2056 wrote to memory of 2112	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	34
PID 2056 wrote to memory of 2112	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	34
PID 2056 wrote to memory of 2112	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	34
PID 2112 wrote to memory of 2416	2112	net.exe	36
PID 2112 wrote to memory of 2416	2112	net.exe	36
PID 2112 wrote to memory of 2416	2112	net.exe	36
PID 2056 wrote to memory of 1796	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	37
PID 2056 wrote to memory of 1796	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	37
PID 2056 wrote to memory of 1796	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	37
PID 1796 wrote to memory of 2680	1796	net.exe	39
PID 1796 wrote to memory of 2680	1796	net.exe	39
PID 1796 wrote to memory of 2680	1796	net.exe	39
PID 2056 wrote to memory of 1152	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	40
PID 2056 wrote to memory of 1152	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	40
PID 2056 wrote to memory of 1152	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	40
PID 1152 wrote to memory of 2776	1152	net.exe	42
PID 1152 wrote to memory of 2776	1152	net.exe	42
PID 1152 wrote to memory of 2776	1152	net.exe	42
PID 2056 wrote to memory of 2780	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	43
PID 2056 wrote to memory of 2780	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	43
PID 2056 wrote to memory of 2780	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	43
PID 2780 wrote to memory of 2860	2780	net.exe	45
PID 2780 wrote to memory of 2860	2780	net.exe	45
PID 2780 wrote to memory of 2860	2780	net.exe	45
PID 2056 wrote to memory of 2772	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	46
PID 2056 wrote to memory of 2772	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	46
PID 2056 wrote to memory of 2772	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	46
PID 2772 wrote to memory of 2840	2772	net.exe	48
PID 2772 wrote to memory of 2840	2772	net.exe	48
PID 2772 wrote to memory of 2840	2772	net.exe	48
PID 2056 wrote to memory of 2716	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	49
PID 2056 wrote to memory of 2716	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	49
PID 2056 wrote to memory of 2716	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	49
PID 2716 wrote to memory of 2580	2716	net.exe	51
PID 2716 wrote to memory of 2580	2716	net.exe	51
PID 2716 wrote to memory of 2580	2716	net.exe	51
PID 2056 wrote to memory of 2292	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	52
PID 2056 wrote to memory of 2292	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	52
PID 2056 wrote to memory of 2292	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	52
PID 2292 wrote to memory of 2732	2292	net.exe	54
PID 2292 wrote to memory of 2732	2292	net.exe	54
PID 2292 wrote to memory of 2732	2292	net.exe	54
PID 2056 wrote to memory of 2100	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	55
PID 2056 wrote to memory of 2100	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	55
PID 2056 wrote to memory of 2100	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	55
PID 2056 wrote to memory of 2248	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	57
PID 2056 wrote to memory of 2248	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	57
PID 2056 wrote to memory of 2248	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	57
PID 2056 wrote to memory of 2744	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	59
PID 2056 wrote to memory of 2744	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	59
PID 2056 wrote to memory of 2744	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	59
PID 2056 wrote to memory of 2824	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	61
PID 2056 wrote to memory of 2824	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	61
PID 2056 wrote to memory of 2824	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	61
PID 2056 wrote to memory of 2588	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	63
PID 2056 wrote to memory of 2588	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	63
PID 2056 wrote to memory of 2588	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	63
PID 2056 wrote to memory of 2692	2056	2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe	65

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\system32\net.exe
  net.exe stop "NetMsmqActivator" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "NetMsmqActivator" /y
    3⤵
    PID:2464
- C:\Windows\system32\net.exe
  net.exe stop "SamSs" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SamSs" /y
    3⤵
    PID:2416
- C:\Windows\system32\net.exe
  net.exe stop "SDRSVC" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SDRSVC" /y
    3⤵
    PID:2680
- C:\Windows\system32\net.exe
  net.exe stop "SstpSvc" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SstpSvc" /y
    3⤵
    PID:2776
- C:\Windows\system32\net.exe
  net.exe stop "UI0Detect" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "UI0Detect" /y
    3⤵
    PID:2860
- C:\Windows\system32\net.exe
  net.exe stop "VSS" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "VSS" /y
    3⤵
    PID:2840
- C:\Windows\system32\net.exe
  net.exe stop "wbengine" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    PID:2580
- C:\Windows\system32\net.exe
  net.exe stop "WebClient" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "WebClient" /y
    3⤵
    PID:2732
- C:\Windows\system32\sc.exe
  sc.exe config "NetMsmqActivator" start= disabled
  2⤵
  - Launches sc.exe
  PID:2100
- C:\Windows\system32\sc.exe
  sc.exe config "SamSs" start= disabled
  2⤵
  - Launches sc.exe
  PID:2248
- C:\Windows\system32\sc.exe
  sc.exe config "SDRSVC" start= disabled
  2⤵
  - Launches sc.exe
  PID:2744
- C:\Windows\system32\sc.exe
  sc.exe config "SstpSvc" start= disabled
  2⤵
  - Launches sc.exe
  PID:2824
- C:\Windows\system32\sc.exe
  sc.exe config "UI0Detect" start= disabled
  2⤵
  - Launches sc.exe
  PID:2588
- C:\Windows\system32\sc.exe
  sc.exe config "VSS" start= disabled
  2⤵
  - Launches sc.exe
  PID:2692
- C:\Windows\system32\sc.exe
  sc.exe config "wbengine" start= disabled
  2⤵
  - Launches sc.exe
  PID:2620
- C:\Windows\system32\sc.exe
  sc.exe config "WebClient" start= disabled
  2⤵
  - Launches sc.exe
  PID:2616
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:1032
- C:\Windows\system32\reg.exe
  reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
  2⤵
  PID:820
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender DisableAntiSpyware settings
  PID:2880
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
  2⤵
  PID:2900
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
  2⤵
  PID:1984
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2812
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2808
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2008
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1028
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2456
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
  2⤵
  PID:2376
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
  2⤵
  PID:2108
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
  2⤵
  PID:1992
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
  2⤵
  PID:2756
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:1132
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:2932
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
  2⤵
  PID:2968
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
  2⤵
  PID:2668
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
  2⤵
  PID:1156
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
  2⤵
  PID:2536
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
  2⤵
  PID:1892
- C:\Windows\system32\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
  2⤵
  PID:2028
- C:\Windows\system32\reg.exe
  reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
  2⤵
  PID:408
- C:\Windows\system32\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
  2⤵
  PID:588
- C:\Windows\system32\reg.exe
  reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:2976
- C:\Windows\system32\reg.exe
  reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:992
- C:\Windows\system32\reg.exe
  reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:1360
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:1632
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:1600
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:1612
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:776
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies security service
  PID:1732
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:888
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1684
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl system
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl security
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl application
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:580
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1492
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled no
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1936
- C:\Windows\system32\cmd.exe
  cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
  2⤵
  PID:2340
- - C:\Program Files\Windows Defender\MpCmdRun.exe
    "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
    3⤵
    - Deletes Windows Defender Definitions
    PID:3044
- C:\Windows\system32\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
  2⤵
  PID:1584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableIOAVProtection $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1696
- C:\Windows\system32\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  PID:2580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2732
- C:\Windows\system32\notepad.exe
  notepad.exe C:\n8pw_HOW_TO_DECRYPT.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2984
- C:\Windows\system32\cmd.exe
  cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\2025-02-04_82a36fb2b9eaf1d539bd1f47519d33f0_frostygoop_hive_luca-stealer_snatch.exe"
  2⤵
  - Deletes itself
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2952
- - C:\Windows\system32\PING.EXE
    ping.exe -n 5 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj

Filesize
27KB

MD5
d50136050bc6de12c58c0173f9c8fe86

SHA1
7e4a5eff68c312f5b64af83b7b29ec368398996c

SHA256
b4d8535b6d239e6fbe3af2cbbd06a5f77967acb1599feed6889a8575149dc6d7

SHA512
e92732fb611fba5f8e4f3de6134395f80465af696e70e70234743a939fbdc18efc9195a2e1e0766d34da50d3a548769619ddcde537bfa53835cf132777d75529

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj

Filesize
222B

MD5
a875cf9caadc406392ad4bbde44fd55c

SHA1
847e6491a3699254781e581f107becea8812ffe5

SHA256
fff5db9fafe7d0264df2c4135ca0a6252f4f4bddfc7b62471c2cca0a3fbf5954

SHA512
5b2bbdb377737bd4892e41ad1127b5767af9d7d873300d065190d03e7a130810290bdd44500a01758c1305b7e0d50bfa5694dc188f60aabbff5a9f679fc4c036

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\TAB_OFF.GIF.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj

Filesize
341B

MD5
f4393bdb40865ebd0eddf5a27b87ddbd

SHA1
823b5e046d08576ac33517eaa93c61665edbb65c

SHA256
87ff13b6c9f725a3fb2e5c8ef524cc5819601e2d8331822333087a72dd035efb

SHA512
73a1db5a02928e2f903ffae6c477e7ce3d313048a0faf2216eeb9183db9e7406c2abfd8e36861f5a8a96eca220fe2d6a7771b84820ce27df232c944e56b62257

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj

Filesize
114B

MD5
b8fbbc73ddde31636552ab184b4e398f

SHA1
5cfbfaea56e979a07c083f2340b10a5894812d78

SHA256
3c3702253a4695b5bcb18a2565b1d49f9f32f5f9f2442fd1395197970fa34edb

SHA512
7f0f4b098e0d37ed403be8d54e2dcbc603791ddf00e3a21747c41ecfb829fdf664b6bddda8d51309e1229b197244a1d8ae23e1b3bf3348f99f84a7a8684db8d7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_IAAAACAAAAA0.cv2gj

Filesize
113B

MD5
db9742e49c49c505b293a84518e95fa5

SHA1
406dae0b226900aad2ad2e10d8366651b848c053

SHA256
1c17b95e5098adb0c0e06aac8a8c7c50c6a5ef1b696465d548c8a922f1d3a653

SHA512
974917a72b2b3b783bb0ffcbfe0058489ae65ac0aa71ae86d77195780aeb7800848a3158fbe7ad8ddf9b30145d8a1a2c66f72484305ccf363b7981f105be295b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj

Filesize
185B

MD5
973779cfa96b0be367e8718db325c4ba

SHA1
be1115e7d145c8181f82b66ed30b4d5dc60bdfb7

SHA256
09d2a546c57dc9fec8fd5efd059ab8e7e21d51f582fd678f05900efef154db0a

SHA512
baba3c85e1f49e2f3b1c26f3db0cedd7a340a67c8fd5ab80e70957418d658bf137ec32fe529c01f122b932a3961fd4739eb557588d239471aa84cdfe99aa9dfa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_IAAAACAAAAA0.cv2gj

Filesize
496B

MD5
94f8f9cbbc7c55b6035f08f846d39cee

SHA1
2dad7a9174aea6a26301a00a7d3277595cfdca8f

SHA256
f1b55bf40b6fa794c1e614aa75985258a88e2165bef91eff545438b85baa5c3f

SHA512
6dabc2f1cc7872cff3682bb1d4e852d97e69cc7ae232dc9dbbb0fb3333bc3e3d99e9e2a2478cce03875abf9d2f27be964220586ae146af41484f78c98509c53c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_IAAAACAAAAA0.cv2gj

Filesize
1KB

MD5
52236cec3798df288705441118df4bcc

SHA1
1fd595c15b27c07a7185cc39bcbf66c52641e32c

SHA256
71e4d48ed4515f17faa6505256314a8d6022e103714193785e7fcd08a36a051d

SHA512
0c949c6cf7c1d61978ae838e266c845cb9990ae574d6f1e80d96c5f87db15bca354aa4499ea80fa7fb47c8734b0db55d581b8e8cda07e1664423f957ef5f91e7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj

Filesize
806B

MD5
fc9a01384283f760b245bafde02893ca

SHA1
27787bad85297baad51216df565e409dfac1d440

SHA256
7bdb5be38475510a7c05a3444b122a62e8cf4c05b35e656ca4deccce4a55d968

SHA512
a35db9e5336b752fdd25db32ee0584fcd93c9c366ab3119d1e5cdd235c8f77e44170fdf2ce6c182d02df750ed89b85926c2cf4bfd4b4f6d634ec0c20c100c0e0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj

Filesize
5KB

MD5
d096685b0765b8b50ee3d059a910fb7a

SHA1
2a684213056c172bc171738fdc9aa4e9d9f55afb

SHA256
b04ab95a0a934f5bfa95e296cfff4052e5a0dc3ef95cec4b2c2cd8a74a6b1237

SHA512
472a85712267ad7ecfa1b648c0d5e131c1a9eca59a416fd08cb4856bd6257b762e19d1d85161204517f0bc5e82d2900b738193ba1226622a9b785cef112c6b54

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj

Filesize
12KB

MD5
0b537aafb621fa906920a2e685571059

SHA1
ec20f52c8c3b08b78f9c7bf14d73492f8faea78f

SHA256
e4663c16f176ecc0d215f3a04bd8928f96c21139342eabfd3edb11a120f9bffe

SHA512
293cabf0be6471e0874fe291a3023dc6ae3cf4f712717a7615f3842170fc37c3335cf3bbfd37d5b97a0cd3dd836ca2f823ea012de7e878053ebe091fe5b0b0fc

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_IAAAACAAAAA0.cv2gj

Filesize
57B

MD5
adf99b54fd6f317b611320564167c305

SHA1
d3d80dd39b686e04bf31db6ac9335084e841ef73

SHA256
1b68454d53e781f8793547fde8fcb2f3b03b5c8134f37b9d8c4045cb8a5473f3

SHA512
65fb44cdaf01632d60ecf3b49ab1eb661982ee8b6a430dcf6d1e75789787c9e7356754cd071421ca44a1b32ab918be97a630b1b0ca722383eea56d40fa131642

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj

Filesize
8KB

MD5
49fed7cf467fdde2ad3783718a17fd09

SHA1
79fee4b9d6b3cd3bc285a49610e2914ead17d01d

SHA256
ac0bd255608d71f4bd09ea4f6bb63f2acf80eb45ebaa45286fbde451ae9fac00

SHA512
43f090eb4a91115f81ac7703ae64e5d3f18fb4e6a932427e779392223ea6220c4eeca7db0f8a14b60e61d51a39db38458aade7b52e8fdaf5ccbe9b85eda54b96

Download Submit
C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyNoDrop32x32.gif.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj

Filesize
153B

MD5
1e9d8f133a442da6b0c74d49bc84a341

SHA1
259edc45b4569427e8319895a444f4295d54348f

SHA256
1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

SHA512
63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+5.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj

Filesize
27B

MD5
a2abe32f03e019dbd5c21e71cc0f0db9

SHA1
25b042eb931fff4e815adcc2ddce3636debf0ae1

SHA256
27ba8b5814833b1e8e8b5d08246b383cb8a5fb7e74e237cdbcadf320e882ab78

SHA512
197c065b9c17c6849a15f45ac69dafa68aaa0b792219fedb153d146f23997bfa4fbc4127b1d030a92a4d7103bded76a1389df715b9539ea23ea21e6a4bb65fb2

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj

Filesize
27B

MD5
7da9aa0de33b521b3399a4ffd4078bdb

SHA1
f188a712f77103d544d4acf91d13dbc664c67034

SHA256
0a526439ed04845ce94f7e9ae55c689ad01e1493f3b30c5c2b434a31fa33a43d

SHA512
9d2170571a58aed23f29fc465c2b14db3511e88907e017c010d452ecdf7a77299020d71f8b621a86e94dd2774a5418612d381e39335f92e287a4f451ee90cfb6

Download Submit
C:\Program Files\Java\jre7\lib\zi\HST.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj

Filesize
27B

MD5
715dc3fcec7a4b845347b628caf46c84

SHA1
1b194cdd0a0dc5560680c33f19fc2e7c09523cd1

SHA256
3144bc5353ebbd941cdccbbd9f5fb5a06f38abf5cc7b672111705c9778412d08

SHA512
72ab4b4ad0990cce0723a882652bf4f37aac09b32a8dd33b56b1fbf25ac56ae054328909efd68c8243e54e449d845fb9d53dd95f47eaaf5873762fcd55a39662

Download Submit
C:\Program Files\Java\jre7\lib\zi\MST.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj

Filesize
27B

MD5
11f8e73ad57571383afa5eaf6bc0456a

SHA1
65a736dddd8e9a3f1dd6fbe999b188910b5f7931

SHA256
0e6a7f1ab731ae6840eacc36b37cbe3277a991720a7c779e116ab488e0eeed4e

SHA512
578665a0897a2c05eda59fb6828f4a9f440fc784059a5f97c8484f164a5fcec95274159c6ff6336f4863b942129cb884110d14c9bd507a2d12d83a4e17f596d2

Download Submit
C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_AAAAAAAAAAA0.cv2gj

Filesize
614KB

MD5
0db610fd74da666de31444744bcef54a

SHA1
5359bf8488bf5a810d5a9aa82aa366f9d34d7585

SHA256
af73d8d086ef0b440ffcf5e2ec4ae606f9a079f3e03b52899f51aa021beda76b

SHA512
b025a605eafb67861f5327fc81e9f693b0b5ae9524ebd41b1579dcb58f1a8cdad8f6e740823c4b839e273096bfc83db56cf291b8480eabcbc4a22ee144299a3f

Download Submit
C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo.JfGety2xKySbklsLz1YQBaRlD2ZQOsmI8zCsUdIrZKj_IAAAACAAAAA0.cv2gj

Filesize
611KB

MD5
aef632973203b10a0c76b1a47219950d

SHA1
0626ec40009ff25811e7dce8e2a703e3daff4493

SHA256
7ee7984ef09679e911a3db72c4ca10c49d812a82937ef996f4222e465b272594

SHA512
f64958d6e534e4fae0ffe2cd1a9072bca08cb9b717dcc33f5949c9bdddeda6775c723f798cdab5d4340edcfc384d3e3d33f83ef24c92af9be678fb8e8d8ab616

Download Submit
C:\Program Files\n8pw_HOW_TO_DECRYPT.txt

Filesize
1KB

MD5
d3eca3baec61c36c9353ef1699b8bfca

SHA1
f084193262e0d462165cfac58e1422ab90df7514

SHA256
3ef5776a2dfd960f996ab765efa2b117d3e3135dc8e196aa7bdc525bd4125678

SHA512
8d8eb00e0764ea07a999d0f07bd21f4f4b8169f19673de0cea833670c38edd41792136a63036477bebeb2a0fbbca5f4faafb381f8fd4ffb178d4209e073e2a17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5aff7ea99a9f29db7aa358eb9141db47

SHA1
de418cc4559ff1c99d6b466f72fe19c1a53139b3

SHA256
062fc8b5cf8151824553afc127d6f642dc872f07ecdf41935927325d15874790

SHA512
4faa038bd99b8d019678cfd58d77b5c71666f0907c0f828d58c4b089be35fe9ece4cd21cbc0344d7e63efd81dbb256599d33fb46b2a98432043cebd051dcddf6

Download Submit
memory/1696-10-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/1696-11-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2056-3127-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2056-3123-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2056-3117-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2056-3134-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2056-3137-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2056-3136-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2056-3135-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2056-3133-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2056-3132-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2056-3131-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2056-3130-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2056-3129-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2056-3128-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2056-3119-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2056-3126-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2056-3125-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2056-3124-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2056-3118-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2056-3122-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2056-3121-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2056-3153-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2056-0-0x0000000000400000-0x00000000008EC000-memory.dmp

Filesize
4.9MB

Download
memory/2056-8181-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2056-8180-0x0000000000400000-0x00000000008EC000-memory.dmp

Filesize
4.9MB

Download
memory/2056-3120-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2056-6407-0x0000000000400000-0x00000000008EC000-memory.dmp

Filesize
4.9MB

Download
memory/2056-3116-0x0000000000400000-0x00000000008EC000-memory.dmp

Filesize
4.9MB

Download
memory/2056-3018-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2056-1-0x00000000774D1000-0x00000000774D2000-memory.dmp

Filesize
4KB

Download
memory/2056-2-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2056-7515-0x0000000000400000-0x00000000008EC000-memory.dmp

Filesize
4.9MB

Download
memory/2056-7516-0x0000000000400000-0x00000000008EC000-memory.dmp

Filesize
4.9MB

Download
memory/2056-2688-0x0000000000400000-0x00000000008EC000-memory.dmp

Filesize
4.9MB

Download
memory/2056-8179-0x0000000000400000-0x00000000008EC000-memory.dmp

Filesize
4.9MB

Download
memory/2732-17-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2732-18-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download