hive | 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2025, 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hive Ransomware.exe
Size

764KB
MD5

2f9fc82898d718f2abe99c4a6fa79e69
SHA1

9d336b8911c8ffd7cc809e31d5b53796bb0cc7bb
SHA256

88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1
SHA512

19f0879b1c54d305ab7a97a0d46ab79c103d4687fe37d5f9ef1934904eea48a1c66b1ac2de3dace6dc0d91623309287044c198cb0b3fc9f8453fbc9d1c0cae8b
SSDEEP

12288:CinNFNkY/yU97ppM4NSBG81Np2C9H4S3iDjlLtc4wCIITIQaOI6NrwacVYV+4MsT:CinN3n/y67jM4v4kCSPDjlLtbwt8IQLH

Score

10^/10

hive credential_access discovery persistence ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\$Recycle.Bin\HOW_TO_DECRYPT.txt

Family

hive

Ransom Note

Your network has been breached and all data is encrypted. To decrypt all the data you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: EQA9oydTxwXS Password: vNtgAgb3kMFmCooANNQr Follow the guidelines below to avoid losing your data: - Do not shutdown or reboot your computers, unmount external storages. - Do not try to decrypt data using third party software. It may cause irreversible damage. - Do not fool yourself. Encryption has perfect secrecy and it's impossible to decrypt without knowing the key. - Do not modify, rename or delete *.key.hive files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to authorities. The negotiation process will be terminated immediately and the key will be erased. - Do not reject to purchase. Your sensitive data will be publicly disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

URLs

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

Signatures

Detects Go variant of Hive Ransomware 15 IoCs

resource	yara_rule
behavioral2/memory/2188-2-0x0000000000440000-0x00000000006A3000-memory.dmp	hive_go
behavioral2/memory/2188-1-0x0000000000440000-0x00000000006A3000-memory.dmp	hive_go
behavioral2/memory/2188-2148-0x0000000000440000-0x00000000006A3000-memory.dmp	hive_go
behavioral2/memory/2188-4346-0x0000000000440000-0x00000000006A3000-memory.dmp	hive_go
behavioral2/memory/2188-6508-0x0000000000440000-0x00000000006A3000-memory.dmp	hive_go
behavioral2/memory/2188-9518-0x0000000000440000-0x00000000006A3000-memory.dmp	hive_go
behavioral2/memory/2188-15342-0x0000000000440000-0x00000000006A3000-memory.dmp	hive_go
behavioral2/memory/2188-18592-0x0000000000440000-0x00000000006A3000-memory.dmp	hive_go
behavioral2/memory/2188-22795-0x0000000000440000-0x00000000006A3000-memory.dmp	hive_go
behavioral2/memory/2188-22797-0x0000000000440000-0x00000000006A3000-memory.dmp	hive_go
behavioral2/memory/2188-22798-0x0000000000440000-0x00000000006A3000-memory.dmp	hive_go
behavioral2/memory/2188-24196-0x0000000000440000-0x00000000006A3000-memory.dmp	hive_go
behavioral2/memory/2188-24197-0x0000000000440000-0x00000000006A3000-memory.dmp	hive_go
behavioral2/memory/2188-24198-0x0000000000440000-0x00000000006A3000-memory.dmp	hive_go
behavioral2/memory/2188-24199-0x0000000000440000-0x00000000006A3000-memory.dmp	hive_go

Hive
A ransomware written in Golang first seen in June 2021.
ransomware hive
Hive family
hive

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Drops file in Drivers directory 20 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Windows\SysWOW64\drivers\uk-UA\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SysWOW64\drivers\uk-UA\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\HOW_TO_DECRYPT.txt	Hive Ransomware.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Hive Ransomware.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.sxMih-XyPRRau3vNGAwWH2v-r0RkN2IRdwuMZyZbv0I.hive	Hive Ransomware.exe

Executes dropped EXE 2 IoCs

pid	Process
2724	EXCEL.EXE
4548	WINWORD.EXE

Loads dropped DLL 9 IoCs

pid	Process
3372	Process not Found
3372	Process not Found
3372	Process not Found
2724	EXCEL.EXE
2724	EXCEL.EXE
3372	Process not Found
3372	Process not Found
3372	Process not Found
4548	WINWORD.EXE

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	Hive Ransomware.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2593460650-190333679-3676257533-1000\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	Hive Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Public\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Program Files\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2593460650-190333679-3676257533-1000\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	Hive Ransomware.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Hive Ransomware.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Licenses\neutral\Volume\Professional\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmirmdm.inf_amd64_ba5b77b7d46bc10d\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Windows\SysWOW64\de\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Windows\SysWOW64\sru\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SysWOW64\PerceptionSimulation\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SysWOW64\oobe\en-US\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\miradisp.inf_amd64_14cd3615d012fdf0\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbc64.inf_amd64_b96cdf411c43c00c\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\pnpxinternetgatewaydevices.inf_amd64_82b90e51473d48ea\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\urschipidea.inf_amd64_78ad1c14e33df968\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetworkTransition\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\WindowsPackageCab\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Windows\SysWOW64\he-IL\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_magneticstripereader.inf_amd64_86e291110e37418b\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_8bc1bda6cf47380c\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wpdmtp.inf_amd64_42b97498c7087292\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppLocker\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ServiceResource\de-DE\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Windows\SysWOW64\wbem\it-IT\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\Volume\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0006\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0404\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SysWOW64\Speech\Common\de-DE\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\de-DE\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\WindowsFeatureSet\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SysWOW64\he-IL\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netmlx5.inf_amd64_101a408e6cb1d8f8\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Windows\SysWOW64\F12\ja-JP\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\fr\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\es-ES\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\acpidev.inf_amd64_0f7f041f33bd01cc\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_computeaccelerator.inf_amd64_9d34992b3634b396\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmoto1.inf_amd64_5b5f11128afa2611\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wstorvsc.inf_amd64_50cb8ebb1c9584af\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\en-US\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SysWOW64\winrm\0407\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0024\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ScriptResource\ja-JP\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SysWOW64\Com\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\Professional\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwwanmp.inf_amd64_f9e30429669d7fff\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\fr\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudio.inf_amd64_fe5b23ea7991a359\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndisvirtualbus.inf_amd64_e8d548ad6f0a613a\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\es\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForSome\es-ES\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SysWOW64\nb-NO\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Windows\SysWOW64\MUI\dispspec\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SysWOW64\DiagSvcs\es-ES\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\iagpio.inf_amd64_07b64df61e783bfe\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmarn.inf_amd64_947cdd3822225c16\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmot64.inf_amd64_2afbe7d3ad20f42a\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_fdc.inf_amd64_fe3599e7eac09e7f\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_amd64_9c09bd1df352f065\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\de-DE\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\WindowsPackageCab\fr-FR\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\Volume\Professional\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\avc.inf_amd64_0eaf27d749819837\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmar1.inf_amd64_b2ebe9229789b181\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmsii64.inf_amd64_0f02175b17cd3f66\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_LogResource\de-DE\HOW_TO_DECRYPT.txt	Hive Ransomware.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2188-0-0x0000000000440000-0x00000000006A3000-memory.dmp	upx
behavioral2/memory/2188-2-0x0000000000440000-0x00000000006A3000-memory.dmp	upx
behavioral2/memory/2188-1-0x0000000000440000-0x00000000006A3000-memory.dmp	upx
behavioral2/memory/2188-2148-0x0000000000440000-0x00000000006A3000-memory.dmp	upx
behavioral2/memory/2188-4346-0x0000000000440000-0x00000000006A3000-memory.dmp	upx
behavioral2/memory/2188-6508-0x0000000000440000-0x00000000006A3000-memory.dmp	upx
behavioral2/memory/2188-9518-0x0000000000440000-0x00000000006A3000-memory.dmp	upx
behavioral2/memory/2188-15342-0x0000000000440000-0x00000000006A3000-memory.dmp	upx
behavioral2/memory/2188-18592-0x0000000000440000-0x00000000006A3000-memory.dmp	upx
behavioral2/memory/2188-22795-0x0000000000440000-0x00000000006A3000-memory.dmp	upx
behavioral2/memory/2188-22797-0x0000000000440000-0x00000000006A3000-memory.dmp	upx
behavioral2/memory/2188-22798-0x0000000000440000-0x00000000006A3000-memory.dmp	upx
behavioral2/memory/2188-24196-0x0000000000440000-0x00000000006A3000-memory.dmp	upx
behavioral2/memory/2188-24197-0x0000000000440000-0x00000000006A3000-memory.dmp	upx
behavioral2/memory/2188-24198-0x0000000000440000-0x00000000006A3000-memory.dmp	upx
behavioral2/memory/2188-24199-0x0000000000440000-0x00000000006A3000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare-Dark.scale-100.png	Hive Ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\manifest.xml.sxMih-XyPRRau3vNGAwWH49SoXXsmzth4bwW8vA9Eho.hive	Hive Ransomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\msedgeupdateres_lv.dll	Hive Ransomware.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsBase.resources.dll.sxMih-XyPRRau3vNGAwWHytK5h-uBL8xT5v4elpTiQo.hive	Hive Ransomware.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-200.png	Hive Ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\concrt140.dll.sxMih-XyPRRau3vNGAwWH2ILab1YBnIZBitSEXyFp1w.hive	Hive Ransomware.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\MEIPreload\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\ReachFramework.resources.dll.sxMih-XyPRRau3vNGAwWH7k3YdmxQHJw4SykBo3ZtFM.hive	Hive Ransomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Applications.Telemetry.Windows.winmd	Hive Ransomware.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\office.odf	Hive Ransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp	Hive Ransomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\gd.pak.DATA.sxMih-XyPRRau3vNGAwWH8dRKyfqwFtznM7trL0B5HQ.hive	Hive Ransomware.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\WideTile.scale-100_contrast-black.png	Hive Ransomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\winsdkfb\Images\fb_blank_profile_portrait.png	Hive Ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe.sxMih-XyPRRau3vNGAwWHw9UrcgPMdcgWgaV-9OwkVA.hive	Hive Ransomware.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\uk-UA\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML.sxMih-XyPRRau3vNGAwWH0tSKFsbMyMqRJ_JxoJKxFU.hive	Hive Ransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_da_135x40.svg	Hive Ransomware.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\identity_proxy\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Xml.Linq.Resources.dll	Hive Ransomware.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.DataAnnotations.dll.sxMih-XyPRRau3vNGAwWH4ZWkVBCR8NKHfFuR_wfADE.hive	Hive Ransomware.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui	Hive Ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ul-oob.xrm-ms	Hive Ransomware.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-64_altform-unplated.png	Hive Ransomware.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EMLAttachmentIcon.png	Hive Ransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt.sxMih-XyPRRau3vNGAwWH7yZ1uIHLjlvwtROh-SsAjk.hive	Hive Ransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.sxMih-XyPRRau3vNGAwWH_sCjtWH2gtwMqhfIXP7GRk.hive	Hive Ransomware.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-200.png	Hive Ransomware.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Entity.Design.Resources.dll	Hive Ransomware.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Xaml.resources.dll.sxMih-XyPRRau3vNGAwWH_PUOl4HuMdm6XMX4GeOSxI.hive	Hive Ransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\exportpdfupsell-app-selector.js	Hive Ransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\close.svg	Hive Ransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sk-sk\ui-strings.js	Hive Ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare_col.hxc	Hive Ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-100.png.sxMih-XyPRRau3vNGAwWH315CBoxUnZirmgj9vkJq2U.hive	Hive Ransomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\3039_24x24x32.png	Hive Ransomware.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-100_contrast-black.png	Hive Ransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msjro.dll	Hive Ransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\TabTip32.exe.mui	Hive Ransomware.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.dll.sxMih-XyPRRau3vNGAwWH-LhHNjTn58QbhaEcdu6zHQ.hive	Hive Ransomware.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NameResolution.dll.sxMih-XyPRRau3vNGAwWH9yYijq4FSx7sphauIZk3kk.hive	Hive Ransomware.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorlib.dll.sxMih-XyPRRau3vNGAwWHxoah3i1xKF8VRtcXnXzhQg.hive	Hive Ransomware.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clretwrc.dll.sxMih-XyPRRau3vNGAwWHy_ZsB2x9MQZ2RKz1L4Y01Y.hive	Hive Ransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\standards_poster.png.sxMih-XyPRRau3vNGAwWH7D0eCBquT8JkA96MLXnn3o.hive	Hive Ransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\plugin.js.sxMih-XyPRRau3vNGAwWH_pQ7h-U6IBQoOvTNEj6hXc.hive	Hive Ransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe.sxMih-XyPRRau3vNGAwWHwRQJSAmuepfP6vTcZNISjM.hive	Hive Ransomware.exe
File created	C:\Program Files\Microsoft Office\root\Office16\QUERIES\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Forms.dll	Hive Ransomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-400.png	Hive Ransomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-96.png	Hive Ransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\SearchEmail.png.sxMih-XyPRRau3vNGAwWHzj-E2MDx88963bvxOAvHBw.hive	Hive Ransomware.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-100.HCBlack.png	Hive Ransomware.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.StackTrace.dll	Hive Ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\ExcelMessageDismissal.txt.sxMih-XyPRRau3vNGAwWH9z1Pl7cct58y2qoTF0o_RM.hive	Hive Ransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\et_get.svg.sxMih-XyPRRau3vNGAwWH53yElM6dTV9WS8OVB7foDY.hive	Hive Ransomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-256_contrast-black.png	Hive Ransomware.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL.sxMih-XyPRRau3vNGAwWHwNGCUMtyu4u7iryyRAFPhY.hive	Hive Ransomware.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-200.png	Hive Ransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pt-br\ui-strings.js	Hive Ransomware.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\wow64_microsoft-windows-vssapi-core_31bf3856ad364e35_10.0.19041.746_none_c287b036aef8da56\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mff1be75b#\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SystemApps\NcsiUwpApp_8wekyb3d8bbwe\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-edp-task.resources_31bf3856ad364e35_10.0.19041.1_en-us_7edbe224434e420b\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-inetres-adm.resources_31bf3856ad364e35_11.0.19041.1_ja-jp_8850b30f44f96c52\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..adaptiveportmonitor_31bf3856ad364e35_10.0.19041.264_none_0238f6fabd045ed3\r\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-qos-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_10b8cd361bb258b9\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..-inputdll.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d6bdbe7898501615\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_netmyk64.inf.resources_31bf3856ad364e35_10.0.19041.1_de-de_1188fbfde7ffb9ff\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_system.web.entity.design.resources_b77a5c561934e089_4.0.15805.0_it-it_530d02618fb9d26b\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.SecureBoot.Commands.Resources\v4.0_10.0.0.0_ja_31bf3856ad364e35\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics.resources\v4.0_4.0.0.0_es_b77a5c561934e089\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\WindowsApps\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..rformance.resources_31bf3856ad364e35_10.0.19041.1_es-es_ef725923373e7176\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..windowmanager-redir_31bf3856ad364e35_10.0.19041.1266_none_a5cd18cc18a95cbd\f\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ie-f12diagnosticstap_31bf3856ad364e35_11.0.19041.746_none_d3dacb61ffa82429\r\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..onwakesettingflyout_31bf3856ad364e35_10.0.19041.746_none_8a469514405342ff\f\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-winsetupui.resources_31bf3856ad364e35_10.0.19041.1_it-it_a5a39ad6ebded6a6\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_dual_netrndis.inf_31bf3856ad364e35_10.0.19041.488_none_559eb4c6233414d5\r\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_11.0.19041.1165_none_cbcbe0c900c7339c\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-vault-cpl_31bf3856ad364e35_10.0.19041.423_none_d57ebf249a4ef3f8\f\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_10.0.19041.1_en-us_a6b88435313203cc\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_networking-mpssvc-powershell-windows_31bf3856ad364e35_10.0.19041.1_none_72020756be715fb9\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_usbser.inf.resources_31bf3856ad364e35_10.0.19041.1_it-it_83c723998d4fac65\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_wstorvsp.inf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_21cfbc4b68e71483\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_dual_iscsi.inf_31bf3856ad364e35_10.0.19041.1151_none_2548defe90359599\f\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..wdm-audio.resources_31bf3856ad364e35_10.0.19041.1_en-us_26a4e6c8a1381605\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..ardbackgroundpolicy_31bf3856ad364e35_10.0.19041.746_none_08d146b3a00cb6b6\f\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..-cryptngc.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_98b83abfee1f841f\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-alacdecoder_31bf3856ad364e35_10.0.19041.746_none_c5d6bcaad5e1c6c7\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-control_31bf3856ad364e35_10.0.19041.1_none_59b1b1137e3c1ce3\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-updatepolicy_31bf3856ad364e35_10.0.19041.1_none_1ccf32c36700fac1\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-wlangpui_31bf3856ad364e35_10.0.19041.746_none_28cac5599dc25eb1\f\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..memanager.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_8954e205e48ee50a\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..nt-dmpushroutercore_31bf3856ad364e35_10.0.19041.1151_none_d549bb8355b4ced1\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..ent-winrt.resources_31bf3856ad364e35_10.0.19041.1_en-us_2e5ef34edff76beb\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_2b0bfc08919fc783\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-directx-direct3d12_31bf3856ad364e35_10.0.19041.1266_none_6ed2b5e6b73e4927\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-qedit_31bf3856ad364e35_10.0.19041.1_none_1ae194831b25a03d\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-rtworkq_31bf3856ad364e35_10.0.19041.1_none_ae342d0afcca5b90\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..aceruntimeproxystub_31bf3856ad364e35_10.0.19041.1_none_d97c78aa3213326e\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_c_ports.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_fa48532b71d7f47c\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-rasbase-ndiswan_31bf3856ad364e35_10.0.19041.1151_none_6808a5d10c74690a\r\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..nkobjcore.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_2d82ba4259797cbe\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_system.servicemodel.discovery_31bf3856ad364e35_4.0.15805.110_none_f509b1bb8df3c90c\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-telephony-phoneutil_31bf3856ad364e35_10.0.19041.746_none_c9743399758cb81d\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-m..-r-backcompat-tlb28_31bf3856ad364e35_10.0.19041.1_none_db7cb8c3606ac760\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_dual_mshdc.inf_31bf3856ad364e35_10.0.19041.1_none_d168bf476edd273a\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-c..orization.resources_31bf3856ad364e35_10.0.19041.1_it-it_c9efb6a822d6d50f\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..reensaver.resources_31bf3856ad364e35_10.0.19041.1_en-us_c6c820c76fa3c1b7\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft.windows.dsc.core.resources_31bf3856ad364e35_10.0.19041.1_en-us_d06c25db9e31c31b\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\wow64_windows-id-connecte..nt-provider-activex_31bf3856ad364e35_10.0.19041.746_none_537b4fd4a532b243\r\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m...appxmain.resources_31bf3856ad364e35_10.0.19041.1_es-es_00b96133c19744eb\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..diafoundationplugin_31bf3856ad364e35_10.0.19041.746_none_565d6a59126c94c6\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_windows-storage-compression-winrt_31bf3856ad364e35_10.0.19041.746_none_c03a28cec93dba5b\f\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-a..olicy-snapin-native_31bf3856ad364e35_10.0.19041.746_none_27b97ba8c30fd901\r\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\wow64_windows-storage-applicationdata-winrt_31bf3856ad364e35_10.0.19041.746_none_ccbed6de69b40136\f\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\diagnostics\system\PCW\es-ES\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\microsoft.system.package.metadata\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_c_usbdevice.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_9f156093de8c7252\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-containerdiagnosticstool_31bf3856ad364e35_10.0.19041.1_none_3d521dedd6c76700\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-dot3gpui.resources_31bf3856ad364e35_10.0.19041.1_de-de_28ee2f2cf1346efc\HOW_TO_DECRYPT.txt	Hive Ransomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-msftedit.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_335412820cafc25b\HOW_TO_DECRYPT.txt	Hive Ransomware.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hive Ransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 64 IoCs

defense_evasion

pid	Process
3792	timeout.exe
3824	timeout.exe
4076	timeout.exe
4756	timeout.exe
2016	timeout.exe
4756	timeout.exe
3900	timeout.exe
1980	timeout.exe
3984	timeout.exe
4832	timeout.exe
2424	timeout.exe
4040	timeout.exe
372	timeout.exe
4192	timeout.exe
4056	timeout.exe
4556	timeout.exe
4548	timeout.exe
1648	timeout.exe
4816	timeout.exe
4668	timeout.exe
3000	timeout.exe
4640	timeout.exe
3480	timeout.exe
4644	timeout.exe
3024	timeout.exe
4832	timeout.exe
1492	timeout.exe
1156	timeout.exe
4744	timeout.exe
2740	timeout.exe
4044	timeout.exe
956	timeout.exe
1504	timeout.exe
1452	timeout.exe
4056	timeout.exe
1364	timeout.exe
2712	timeout.exe
1512	timeout.exe
544	timeout.exe
2348	timeout.exe
3712	timeout.exe
3472	timeout.exe
2704	timeout.exe
2364	timeout.exe
1076	timeout.exe
4192	timeout.exe
4512	timeout.exe
3500	timeout.exe
5000	timeout.exe
2372	timeout.exe
4860	timeout.exe
4192	timeout.exe
1452	timeout.exe
812	timeout.exe
2240	timeout.exe
4680	timeout.exe
3604	timeout.exe
112	timeout.exe
2148	timeout.exe
3588	timeout.exe
4584	timeout.exe
1048	timeout.exe
4832	timeout.exe
4200	timeout.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2593460650-190333679-3676257533-1000\{E3080598-C04B-4B93-9A2D-CF75A89D9D17}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2188	Hive Ransomware.exe
2188	Hive Ransomware.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3952	explorer.exe
Token: SeCreatePagefilePrivilege	3952	explorer.exe
Token: SeShutdownPrivilege	3952	explorer.exe
Token: SeCreatePagefilePrivilege	3952	explorer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3952	explorer.exe
3952	explorer.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3952	explorer.exe
3952	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3820	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 4288	2188	Hive Ransomware.exe	95
PID 2188 wrote to memory of 4288	2188	Hive Ransomware.exe	95
PID 2188 wrote to memory of 4288	2188	Hive Ransomware.exe	95
PID 2188 wrote to memory of 396	2188	Hive Ransomware.exe	96
PID 2188 wrote to memory of 396	2188	Hive Ransomware.exe	96
PID 2188 wrote to memory of 396	2188	Hive Ransomware.exe	96
PID 4288 wrote to memory of 2424	4288	cmd.exe	99
PID 4288 wrote to memory of 2424	4288	cmd.exe	99
PID 4288 wrote to memory of 2424	4288	cmd.exe	99
PID 4288 wrote to memory of 4756	4288	cmd.exe	100
PID 4288 wrote to memory of 4756	4288	cmd.exe	100
PID 4288 wrote to memory of 4756	4288	cmd.exe	100
PID 4288 wrote to memory of 812	4288	cmd.exe	101
PID 4288 wrote to memory of 812	4288	cmd.exe	101
PID 4288 wrote to memory of 812	4288	cmd.exe	101
PID 4288 wrote to memory of 3900	4288	cmd.exe	102
PID 4288 wrote to memory of 3900	4288	cmd.exe	102
PID 4288 wrote to memory of 3900	4288	cmd.exe	102
PID 4288 wrote to memory of 432	4288	cmd.exe	103
PID 4288 wrote to memory of 432	4288	cmd.exe	103
PID 4288 wrote to memory of 432	4288	cmd.exe	103
PID 4288 wrote to memory of 4192	4288	cmd.exe	105
PID 4288 wrote to memory of 4192	4288	cmd.exe	105
PID 4288 wrote to memory of 4192	4288	cmd.exe	105
PID 4288 wrote to memory of 3080	4288	cmd.exe	106
PID 4288 wrote to memory of 3080	4288	cmd.exe	106
PID 4288 wrote to memory of 3080	4288	cmd.exe	106
PID 4288 wrote to memory of 1564	4288	cmd.exe	107
PID 4288 wrote to memory of 1564	4288	cmd.exe	107
PID 4288 wrote to memory of 1564	4288	cmd.exe	107
PID 4288 wrote to memory of 2876	4288	cmd.exe	110
PID 4288 wrote to memory of 2876	4288	cmd.exe	110
PID 4288 wrote to memory of 2876	4288	cmd.exe	110
PID 4288 wrote to memory of 956	4288	cmd.exe	111
PID 4288 wrote to memory of 956	4288	cmd.exe	111
PID 4288 wrote to memory of 956	4288	cmd.exe	111
PID 4288 wrote to memory of 3000	4288	cmd.exe	112
PID 4288 wrote to memory of 3000	4288	cmd.exe	112
PID 4288 wrote to memory of 3000	4288	cmd.exe	112
PID 4288 wrote to memory of 1248	4288	cmd.exe	113
PID 4288 wrote to memory of 1248	4288	cmd.exe	113
PID 4288 wrote to memory of 1248	4288	cmd.exe	113
PID 4288 wrote to memory of 4832	4288	cmd.exe	114
PID 4288 wrote to memory of 4832	4288	cmd.exe	114
PID 4288 wrote to memory of 4832	4288	cmd.exe	114
PID 4288 wrote to memory of 4200	4288	cmd.exe	116
PID 4288 wrote to memory of 4200	4288	cmd.exe	116
PID 4288 wrote to memory of 4200	4288	cmd.exe	116
PID 4288 wrote to memory of 1980	4288	cmd.exe	117
PID 4288 wrote to memory of 1980	4288	cmd.exe	117
PID 4288 wrote to memory of 1980	4288	cmd.exe	117
PID 4288 wrote to memory of 3984	4288	cmd.exe	118
PID 4288 wrote to memory of 3984	4288	cmd.exe	118
PID 4288 wrote to memory of 3984	4288	cmd.exe	118
PID 4288 wrote to memory of 544	4288	cmd.exe	119
PID 4288 wrote to memory of 544	4288	cmd.exe	119
PID 4288 wrote to memory of 544	4288	cmd.exe	119
PID 4288 wrote to memory of 4424	4288	cmd.exe	121
PID 4288 wrote to memory of 4424	4288	cmd.exe	121
PID 4288 wrote to memory of 4424	4288	cmd.exe	121
PID 4288 wrote to memory of 432	4288	cmd.exe	123
PID 4288 wrote to memory of 432	4288	cmd.exe	123
PID 4288 wrote to memory of 432	4288	cmd.exe	123
PID 4288 wrote to memory of 2876	4288	cmd.exe	124

C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe
"C:\Users\Admin\AppData\Local\Temp\Hive Ransomware.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c hive.bat >NUL 2>NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2424
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4756
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:812
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3900
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:432
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4192
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3080
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:956
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3000
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1248
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4832
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4200
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1980
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3984
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:544
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4424
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:432
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4512
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1080
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3500
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4192
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1348
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2364
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3944
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1612
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1452
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1348
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1504
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:536
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1364
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3760
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:5000
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2272
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1820
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3920
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:812
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4912
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2348
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3700
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1076
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:112
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3792
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4348
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4192
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2372
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1820
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4832
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2148
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3588
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4548
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3804
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:5060
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2240
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:5064
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3824
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4884
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1080
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1156
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4356
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3712
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4264
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1452
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2712
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4640
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3080
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3876
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4008
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1456
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4496
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1348
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4056
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1364
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1820
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2404
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3480
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4040
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:372
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4744
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2740
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3472
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4220
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3872
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3876
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2704
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4584
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1048
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4076
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3604
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4680
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4536
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4792
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3304
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4644
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4756
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3588
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4996
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3024
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4056
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4940
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1368
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4608
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4556
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2016
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:432
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:772
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:540
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3904
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1648
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:872
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1512
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4136
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:112
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4832
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4124
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4860
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3572
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4816
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1492
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3592
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4044
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c shadow.bat >NUL 2>NUL
  2⤵
  - System Location Discovery: System Language Discovery
  PID:396

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\UnpublishAssert.xlsx"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3820

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\StepRestore.dotm"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4548

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\HOW_TO_DECRYPT.txt

Filesize
1KB

MD5
80207d0f8ea42bdfeaf9f5c586230aca

SHA1
747481fe2b0b6d81c3b19ba62d1e49eab6a5461f

SHA256
25edefb3b0678dfe0d927ff48ce67254359ba379df9468f634d02c026f0e7131

SHA512
73f68ce9e98d2346be1762bd54bb06ef83ae939dfbcf9b786d9b773fa454352613387d264b7a87a1c08950226553817bf01f5aa4107bc12de36a1689e2137304

Download Submit
C:\$Recycle.Bin\S-1-5-21-2593460650-190333679-3676257533-1000\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Filesize
1.9MB

MD5
c63e6c17fa58deaef044b159566eb549

SHA1
a5af9542c7f56cf98eaf01f1bbdc0bd528aee147

SHA256
74de25834cbfeb41c3053bf976f958dbe27def7b2e4d1e11d7d7d05f3700529c

SHA512
fd005b6d94192758ca136b638b0a78dd3e9f15aa1718eb43b5b42a63706523b83800151c56afa77d5a58b1bcb1e6cc4dc19d088cd38af45baac5c24b64d8be6e

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
1.7MB

MD5
c606bd7c9c733dd27f74157c34e51742

SHA1
aab92689723449fbc3e123fb614dd536a74b74d4

SHA256
606390649012b31b5d83630f1186562e4b1ce4023d8870d8c29eb62e7e0769e0

SHA512
5f8fabe3d9753413d1aedcc76b9568c50dd25a5a6aeacd1ce88aecc28c0ba96dac80177679d380708213a0997946e49383bdaca7114c8c9526a24ed999194e38

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msvcp140.dll

Filesize
613KB

MD5
c1b066f9e3e2f3a6785161a8c7e0346a

SHA1
8b3b943e79c40bc81fdac1e038a276d034bbe812

SHA256
99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd

SHA512
36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vcruntime140.dll

Filesize
83KB

MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.sxMih-XyPRRau3vNGAwWH1lXeMom26Jv2ytQoWbNAi8.hive

Filesize
622KB

MD5
9a478fb3256eae32d9e6eb787264b443

SHA1
3f2650a3415c71f8fb3b811573e7b1207f2fd45e

SHA256
0b86d5f9652788d6941eded49b77784041d7acb5fc3cb7c64bea4242f911ee34

SHA512
6a2cb12d11feabe476e65f8f1a0f29b7eec9b0b5a9bf83a47467d2b8fa80bf962756a4e3e1e885b54851b35c363f902fba9df32cb97867f5c3745595ca9836de

Download Submit
C:\Users\Admin\AppData\Local\Temp\hive.bat

Filesize
184B

MD5
dc70612dee31a62e834e95709feaa5f7

SHA1
e3bbac5149ec5f27af0743d4fd332622920d518d

SHA256
07dc3fa1e68246d5a57206cf5ae3598a00049a80339bcd89db12fb1b10ba785c

SHA512
4a43ffae88b8026d272626aecb091a4177dec2ffc9f83999dc62499a2ecf80849580e32ddcbb40a57acca90e9dce1a9ab5712544fea96d4f68821c7bc39e1162

Download Submit
C:\Users\Admin\AppData\Local\Temp\shadow.bat

Filesize
57B

MD5
df5552357692e0cba5e69f8fbf06abb6

SHA1
4714f1e6bb75a80a8faf69434726d176b70d7bd8

SHA256
d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8

SHA512
a837555a1175ab515e2b43da9e493ff0ccd4366ee59defe6770327818ca9afa6f3e39ecdf5262b69253aa9e2692283ee8cebc97d58edd42e676977c7f73d143d

Download Submit
memory/2188-18592-0x0000000000440000-0x00000000006A3000-memory.dmp

Filesize
2.4MB

Download
memory/2188-22795-0x0000000000440000-0x00000000006A3000-memory.dmp

Filesize
2.4MB

Download
memory/2188-4346-0x0000000000440000-0x00000000006A3000-memory.dmp

Filesize
2.4MB

Download
memory/2188-1-0x0000000000440000-0x00000000006A3000-memory.dmp

Filesize
2.4MB

Download
memory/2188-6508-0x0000000000440000-0x00000000006A3000-memory.dmp

Filesize
2.4MB

Download
memory/2188-9518-0x0000000000440000-0x00000000006A3000-memory.dmp

Filesize
2.4MB

Download
memory/2188-0-0x0000000000440000-0x00000000006A3000-memory.dmp

Filesize
2.4MB

Download
memory/2188-15342-0x0000000000440000-0x00000000006A3000-memory.dmp

Filesize
2.4MB

Download
memory/2188-2-0x0000000000440000-0x00000000006A3000-memory.dmp

Filesize
2.4MB

Download
memory/2188-2148-0x0000000000440000-0x00000000006A3000-memory.dmp

Filesize
2.4MB

Download
memory/2188-22797-0x0000000000440000-0x00000000006A3000-memory.dmp

Filesize
2.4MB

Download
memory/2188-22798-0x0000000000440000-0x00000000006A3000-memory.dmp

Filesize
2.4MB

Download
memory/2188-24196-0x0000000000440000-0x00000000006A3000-memory.dmp

Filesize
2.4MB

Download
memory/2188-24197-0x0000000000440000-0x00000000006A3000-memory.dmp

Filesize
2.4MB

Download
memory/2188-24198-0x0000000000440000-0x00000000006A3000-memory.dmp

Filesize
2.4MB

Download
memory/2188-24199-0x0000000000440000-0x00000000006A3000-memory.dmp

Filesize
2.4MB

Download