Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/03/2025, 10:30
Behavioral task
behavioral1
Sample
HiveRansomware.exe
Resource
win7-20240903-en
windows7-x64
24 signatures
150 seconds
Behavioral task
behavioral2
Sample
HiveRansomware.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
HiveRansomware.exe
-
Size
764KB
-
MD5
2f9fc82898d718f2abe99c4a6fa79e69
-
SHA1
9d336b8911c8ffd7cc809e31d5b53796bb0cc7bb
-
SHA256
88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1
-
SHA512
19f0879b1c54d305ab7a97a0d46ab79c103d4687fe37d5f9ef1934904eea48a1c66b1ac2de3dace6dc0d91623309287044c198cb0b3fc9f8453fbc9d1c0cae8b
-
SSDEEP
12288:CinNFNkY/yU97ppM4NSBG81Np2C9H4S3iDjlLtc4wCIITIQaOI6NrwacVYV+4MsT:CinN3n/y67jM4v4kCSPDjlLtbwt8IQLH
Malware Config
Extracted
Path
F:\$RECYCLE.BIN\HOW_TO_DECRYPT.txt
Family
hive
Ransom Note
Your network has been breached and all data is encrypted.
To decrypt all the data you will need to purchase our decryption software.
Please contact our sales department at:
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Login: EQA9oydTxwXS
Password: vNtgAgb3kMFmCooANNQr
Follow the guidelines below to avoid losing your data:
- Do not shutdown or reboot your computers, unmount external storages.
- Do not try to decrypt data using third party software. It may cause irreversible damage.
- Do not fool yourself. Encryption has perfect secrecy and it's impossible to decrypt without knowing the key.
- Do not modify, rename or delete *.key.hive files. Your data will be undecryptable.
- Do not modify or rename encrypted files. You will lose them.
- Do not report to authorities. The negotiation process will be terminated immediately and the key will be erased.
- Do not reject to purchase. Your sensitive data will be publicly disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
URLs
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
Signatures
-
Detects Go variant of Hive Ransomware 15 IoCs
resource yara_rule behavioral1/memory/2692-2-0x0000000000380000-0x00000000005E3000-memory.dmp hive_go behavioral1/memory/2692-1-0x0000000000380000-0x00000000005E3000-memory.dmp hive_go behavioral1/memory/2692-2975-0x0000000000380000-0x00000000005E3000-memory.dmp hive_go behavioral1/memory/2692-7136-0x0000000000380000-0x00000000005E3000-memory.dmp hive_go behavioral1/memory/2692-9184-0x0000000000380000-0x00000000005E3000-memory.dmp hive_go behavioral1/memory/2692-11440-0x0000000000380000-0x00000000005E3000-memory.dmp hive_go behavioral1/memory/2692-14103-0x0000000000380000-0x00000000005E3000-memory.dmp hive_go behavioral1/memory/2692-15864-0x0000000000380000-0x00000000005E3000-memory.dmp hive_go behavioral1/memory/2692-16700-0x0000000000380000-0x00000000005E3000-memory.dmp hive_go behavioral1/memory/2692-17469-0x0000000000380000-0x00000000005E3000-memory.dmp hive_go behavioral1/memory/2692-17489-0x0000000000380000-0x00000000005E3000-memory.dmp hive_go behavioral1/memory/2692-17490-0x0000000000380000-0x00000000005E3000-memory.dmp hive_go behavioral1/memory/2692-17491-0x0000000000380000-0x00000000005E3000-memory.dmp hive_go behavioral1/memory/2692-17492-0x0000000000380000-0x00000000005E3000-memory.dmp hive_go behavioral1/memory/2692-17493-0x0000000000380000-0x00000000005E3000-memory.dmp hive_go -
Hive
A ransomware written in Golang first seen in June 2021.
-
Hive family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops file in Drivers directory 28 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\de-DE\HOW_TO_DECRYPT.txt HiveRansomware.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt HiveRansomware.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\drivers\UMDF\es-ES\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\drivers\UMDF\fr-FR\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\drivers\ja-JP\HOW_TO_DECRYPT.txt HiveRansomware.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt HiveRansomware.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\de-DE\HOW_TO_DECRYPT.txt HiveRansomware.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt HiveRansomware.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\ja-JP\HOW_TO_DECRYPT.txt HiveRansomware.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\drivers\UMDF\de-DE\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\drivers\es-ES\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\drivers\it-IT\HOW_TO_DECRYPT.txt HiveRansomware.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\es-ES\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\drivers\UMDF\ja-JP\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\drivers\fr-FR\HOW_TO_DECRYPT.txt HiveRansomware.exe File opened for modification C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt HiveRansomware.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\it-IT\HOW_TO_DECRYPT.txt HiveRansomware.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\HOW_TO_DECRYPT.txt HiveRansomware.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\drivers\UMDF\it-IT\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\drivers\de-DE\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt HiveRansomware.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\fr-FR\HOW_TO_DECRYPT.txt HiveRansomware.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\HOW_TO_DECRYPT.txt HiveRansomware.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.UKtxmF683abWQOz4bIXm0n6hLVnpV2JXmS2OXD2gR1Y.hive HiveRansomware.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW_TO_DECRYPT.txt HiveRansomware.exe -
Loads dropped DLL 15 IoCs
pid Process 2804 MsiExec.exe 2804 MsiExec.exe 2804 MsiExec.exe 2804 MsiExec.exe 1896 msiexec.exe 1896 msiexec.exe 1896 msiexec.exe 1896 msiexec.exe 2804 MsiExec.exe 2804 MsiExec.exe 2804 MsiExec.exe 2804 MsiExec.exe 1896 msiexec.exe 1896 msiexec.exe 1856 MsiExec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\Searches\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini HiveRansomware.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini HiveRansomware.exe File opened for modification C:\Program Files\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini HiveRansomware.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini HiveRansomware.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8O71085\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Public\Desktop\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini HiveRansomware.exe File opened for modification C:\Program Files (x86)\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini HiveRansomware.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini HiveRansomware.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\3W44XPEP\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Admin\Documents\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Admin\Music\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini HiveRansomware.exe File opened for modification C:\Users\Public\Libraries\desktop.ini HiveRansomware.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\L7XNHY48\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini HiveRansomware.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini HiveRansomware.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini HiveRansomware.exe File opened for modification C:\Users\Public\desktop.ini HiveRansomware.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI HiveRansomware.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini HiveRansomware.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini HiveRansomware.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini HiveRansomware.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini HiveRansomware.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini HiveRansomware.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GKATPXW1\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Public\Music\desktop.ini HiveRansomware.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini HiveRansomware.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini HiveRansomware.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini HiveRansomware.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini HiveRansomware.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini HiveRansomware.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Admin\Links\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Public\Downloads\desktop.ini HiveRansomware.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Public\Videos\desktop.ini HiveRansomware.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini HiveRansomware.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini HiveRansomware.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\75GKCLJR\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini HiveRansomware.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GY8QW6M2\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6GFIGH6G\desktop.ini HiveRansomware.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini HiveRansomware.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-TapiSetup\HOW_TO_DECRYPT.txt HiveRansomware.exe File opened for modification C:\Windows\SysWOW64\wdi\perftrack\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\config\systemprofile\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\de-DE\Licenses\eval\HomePremiumE\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\et-EE\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\System32\DriverStore\FileRepository\adp94xx.inf_amd64_neutral_4928c8870f6a1577\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\System32\DriverStore\FileRepository\msdri.inf_amd64_neutral_86bb50f34c49ae71\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx00e.inf_amd64_neutral_0a4797d9b127d3a7\Amd64\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\migwiz\es-ES\HOW_TO_DECRYPT.txt HiveRansomware.exe File opened for modification C:\Windows\SysWOW64\de\HOW_TO_DECRYPT.txt HiveRansomware.exe File opened for modification C:\Windows\SysWOW64\migwiz\PostMigRes\HOW_TO_DECRYPT.txt HiveRansomware.exe File opened for modification C:\Windows\SysWOW64\oobe\it-IT\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\WindowsPowerShell\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\en-US\Licenses\OEM\ProfessionalN\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\ProfessionalE\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-Sxs\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\spp\tokens\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\System32\DriverStore\FileRepository\netg664.inf_amd64_neutral_b4e8ccc6ba210e97\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\System32\DriverStore\FileRepository\prngt004.inf_amd64_neutral_f5bf8a7ba9dfff55\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\System32\DriverStore\FileRepository\sisraid2.inf_amd64_neutral_845e008c32615283\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\0019\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\de-DE\Licenses\eval\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\es-ES\Licenses\_Default\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\slmgr\0410\HOW_TO_DECRYPT.txt HiveRansomware.exe File opened for modification C:\Windows\SysWOW64\Dism\it-IT\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\System32\DriverStore\FileRepository\netbvbda.inf_amd64_neutral_2bfa4ea57bd5d74a\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\System32\DriverStore\FileRepository\prnrc302.inf_amd64_ja-jp_64ee91a0bf7b132c\Amd64\HOW_TO_DECRYPT.txt HiveRansomware.exe File opened for modification C:\Windows\SysWOW64\IME\imekr8\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\Tasks\Microsoft\Windows\RemoteApp and Desktop Connections Update\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\ja-JP\Licenses\eval\Enterprise\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\zh-TW\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\System32\DriverStore\FileRepository\prnky004.inf_amd64_neutral_5db759db19acd3ae\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\System32\DriverStore\FileRepository\unknown.inf_amd64_neutral_5eb6ac70dd1a3ad0\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\System32\DriverStore\FileRepository\wpdcomp.inf_amd64_neutral_11bbf54c8508434e\HOW_TO_DECRYPT.txt HiveRansomware.exe File opened for modification C:\Windows\SysWOW64\InstallShield\setupdir\0404\HOW_TO_DECRYPT.txt HiveRansomware.exe File opened for modification C:\Windows\SysWOW64\hu-HU\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\Speech\Engines\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\Speech\Engines\SR\de-DE\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\de-DE\Licenses\eval\UltimateE\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\Starter\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\it-IT\Licenses\OEM\HomeBasic\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\it-IT\Licenses\eval\Starter\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\System32\DriverStore\FileRepository\arcsas.inf_amd64_neutral_c763887719bed95d\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\System32\DriverStore\FileRepository\crcdisk.inf_amd64_neutral_d10626d1f8b423c3\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\es-ES\Licenses\eval\HomeBasicN\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\eval\Starter\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\it-IT\Licenses\eval\ProfessionalE\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\zh-HK\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\System32\DriverStore\FileRepository\ks.inf_amd64_neutral_2b583ce4a6a029a1\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmbr006.inf_amd64_neutral_40c76453575b1208\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\System32\DriverStore\FileRepository\megasas2.inf_amd64_neutral_599d713507780ed4\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\winrm\0411\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\System32\DriverStore\FileRepository\hpoa1sd.inf_amd64_neutral_caaa16c52c48f8ac\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\System32\DriverStore\FileRepository\prnca003.inf_amd64_neutral_8e91d4aa9330d2f8\Amd64\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\System32\DriverStore\FileRepository\prnep004.inf_amd64_neutral_63b22bfb6b93eaba\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\System32\DriverStore\FileRepository\prnle002.inf_amd64_neutral_c7564163ba063094\Amd64\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\System32\DriverStore\FileRepository\prnxx002.inf_amd64_neutral_560fdd891b24f384\Amd64\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\System32\DriverStore\FileRepository\ricoh.inf_amd64_neutral_66b4504d1fb1c857\HOW_TO_DECRYPT.txt HiveRansomware.exe File opened for modification C:\Windows\SysWOW64\migwiz\replacementmanifests\WindowsSearchEngine\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\cs-CZ\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\ja-JP\Licenses\eval\Professional\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\SysWOW64\wbem\fr-FR\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmairte.inf_amd64_neutral_0feacd08cb9c7fe3\HOW_TO_DECRYPT.txt HiveRansomware.exe -
resource yara_rule behavioral1/memory/2692-0-0x0000000000380000-0x00000000005E3000-memory.dmp upx behavioral1/memory/2692-2-0x0000000000380000-0x00000000005E3000-memory.dmp upx behavioral1/memory/2692-1-0x0000000000380000-0x00000000005E3000-memory.dmp upx behavioral1/memory/2692-2975-0x0000000000380000-0x00000000005E3000-memory.dmp upx behavioral1/memory/2692-7136-0x0000000000380000-0x00000000005E3000-memory.dmp upx behavioral1/memory/2692-9184-0x0000000000380000-0x00000000005E3000-memory.dmp upx behavioral1/memory/2692-11440-0x0000000000380000-0x00000000005E3000-memory.dmp upx behavioral1/memory/2692-14103-0x0000000000380000-0x00000000005E3000-memory.dmp upx behavioral1/memory/2692-15864-0x0000000000380000-0x00000000005E3000-memory.dmp upx behavioral1/memory/2692-16700-0x0000000000380000-0x00000000005E3000-memory.dmp upx behavioral1/memory/2692-17469-0x0000000000380000-0x00000000005E3000-memory.dmp upx behavioral1/memory/2692-17489-0x0000000000380000-0x00000000005E3000-memory.dmp upx behavioral1/memory/2692-17490-0x0000000000380000-0x00000000005E3000-memory.dmp upx behavioral1/memory/2692-17491-0x0000000000380000-0x00000000005E3000-memory.dmp upx behavioral1/memory/2692-17492-0x0000000000380000-0x00000000005E3000-memory.dmp upx behavioral1/memory/2692-17493-0x0000000000380000-0x00000000005E3000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONBttnPPT.dll.UKtxmF683abWQOz4bIXm0uJwBL_Fm2AvZfQ_HljjQQs.hive HiveRansomware.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105348.WMF HiveRansomware.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Jerusalem.UKtxmF683abWQOz4bIXm0s4XhQZev6Bu3cNyuV2y8H4.hive HiveRansomware.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02749U.BMP.UKtxmF683abWQOz4bIXm0pxWMJle6p0oE3Y5K7FkFFI.hive HiveRansomware.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-border.png HiveRansomware.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over.png HiveRansomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe HiveRansomware.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0196374.WMF HiveRansomware.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\visualization\libprojectm_plugin.dll HiveRansomware.exe File created C:\Program Files (x86)\Common Files\System\Ole DB\HOW_TO_DECRYPT.txt HiveRansomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Kaliningrad.UKtxmF683abWQOz4bIXm0mYYfJU5zIY-_CVsUFKSmVI.hive HiveRansomware.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0278702.WMF HiveRansomware.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309705.JPG HiveRansomware.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.Infopath.dll HiveRansomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_zh_CN.jar.UKtxmF683abWQOz4bIXm0qxLfDGNrVxX_ttfX-f2WBU.hive HiveRansomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml HiveRansomware.exe File created C:\Program Files\VideoLAN\VLC\locale\uz\HOW_TO_DECRYPT.txt HiveRansomware.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0102762.WMF HiveRansomware.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC HiveRansomware.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\HOW_TO_DECRYPT.txt HiveRansomware.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT.UKtxmF683abWQOz4bIXm0iDrAmQt29o_C-Ymjzq90Hk.hive HiveRansomware.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONENOTE.HXS.UKtxmF683abWQOz4bIXm0lIdtmIUr6JNZ9g0BGiz5x4.hive HiveRansomware.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\HOW_TO_DECRYPT.txt HiveRansomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+8 HiveRansomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_ja_4.4.0.v20140623020002.jar HiveRansomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe.UKtxmF683abWQOz4bIXm0juX5b9DzvkDFmWRjyaJwUo.hive HiveRansomware.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\settings.js HiveRansomware.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe HiveRansomware.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0216858.WMF HiveRansomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt HiveRansomware.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Program Files (x86)\Windows Media Player\fr-FR\HOW_TO_DECRYPT.txt HiveRansomware.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_rest.png HiveRansomware.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02444_.WMF.UKtxmF683abWQOz4bIXm0nC_UvvreqZj_ZwXIYuuTH4.hive HiveRansomware.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_videoinset.png HiveRansomware.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\HOW_TO_DECRYPT.txt HiveRansomware.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBLR6.CHM HiveRansomware.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\TipRes.dll.mui HiveRansomware.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSN.ICO HiveRansomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\notification_plugin.jar HiveRansomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml HiveRansomware.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\THMBNAIL.PNG HiveRansomware.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00352_.WMF.UKtxmF683abWQOz4bIXm0vxpfrdZ-896Z-PMOLEBoCo.hive HiveRansomware.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\header.gif.UKtxmF683abWQOz4bIXm0sO2iTrDIvFhTJoTMnQJgm8.hive HiveRansomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.service.exsd HiveRansomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml HiveRansomware.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mouseout.png HiveRansomware.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert.css HiveRansomware.exe File opened for modification C:\Program Files\7-Zip\Lang\sw.txt HiveRansomware.exe File created C:\Program Files\Internet Explorer\ja-JP\HOW_TO_DECRYPT.txt HiveRansomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe HiveRansomware.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Christmas HiveRansomware.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Utilities.v3.5.dll HiveRansomware.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libdeinterlace_plugin.dll.UKtxmF683abWQOz4bIXm0p8QZ9xNM-4fNCd_ZTC0kTU.hive HiveRansomware.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00242_.WMF.UKtxmF683abWQOz4bIXm0mwa0PhVruQOzKrgZxNs1io.hive HiveRansomware.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\SOLVER32.DLL.UKtxmF683abWQOz4bIXm0rOe2SGYTix2Rp8dM2T5yxY.hive HiveRansomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-favorites.jar HiveRansomware.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Linq.Resources.dll HiveRansomware.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\vlc.mo HiveRansomware.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CERT.XML HiveRansomware.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms_3.6.100.v20140422-1825.jar.UKtxmF683abWQOz4bIXm0tKptO3uPjVriBb4nuW_8RU.hive HiveRansomware.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\winsxs\x86_microsoft-windows-l..-startern.resources_31bf3856ad364e35_6.1.7601.17514_it-it_5508ad2604ca3114\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\amd64_microsoft-windows-clip.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_842dc9d6b196871c\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..tiator_ui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_073939b78177adf0\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..structure.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_9d774152432708ef\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\x86_microsoft-windows-h..providers.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cfe854cd853d6959\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\Microsoft.NET\Framework\v3.5\SQL\de\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\assembly\GAC_MSIL\System.Data.Services.Design\3.5.0.0__b77a5c561934e089\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\amd64_fdrespub.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b4ee55ea213abf40\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\App_LocalResources\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\amd64_microsoft-windows-credwiz_31bf3856ad364e35_6.1.7600.16385_none_fbcfa2528586252f\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\amd64_microsoft-windows-f..lications.resources_31bf3856ad364e35_6.1.7600.16385_en-us_704ebb7a95b9eb6f\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\amd64_microsoft-windows-l..-startern.resources_31bf3856ad364e35_6.1.7600.16385_it-it_7b0e256ab1668dc1\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\amd64_prnlx00e.inf_31bf3856ad364e35_6.1.7600.16385_none_62f1ac73c71cd7e9\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\wow64_microsoft-windows-htmlhelp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1b633f84cf4098f0\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\x86_microsoft-windows-m..vider-rll.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4332a29e2aa87048\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.GroupPoli#\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\amd64_microsoft-windows-panmap_31bf3856ad364e35_6.1.7600.16385_none_c55145e338d63048\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\x86_microsoft-windows-a..oldertool.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_41f6f4bfb8f74cc4\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..tallation.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_9ea5d52f2f6e355c\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..ional-codepage-1148_31bf3856ad364e35_6.1.7600.16385_none_80b902312247f1ff\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\amd64_netfx-msbuild_schema_b03f5f7f11d50a3a_6.1.7600.16385_none_684caa7a626b31b1\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\amd64_wcf-m_smsvchost_perf_c_h_31bf3856ad364e35_6.1.7600.16385_none_9f53e08173260b26\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..languages.resources_31bf3856ad364e35_6.1.7601.17514_ko-kr_e33d3558bf13e392\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\wow64_microsoft-windows-ntshrui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5e647d3561f1a23f\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\x86_devicepairingproxy_31bf3856ad364e35_6.1.7600.16385_none_3044683777265932\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\x86_microsoft-windows-calc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_17e92c45e8bbd3f0\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\amd64_microsoft-windows-e..ingfaults.resources_31bf3856ad364e35_6.1.7600.16385_de-de_29907b7959904400\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\amd64_microsoft-windows-uianimation_31bf3856ad364e35_7.1.7601.16492_none_dabb204d1164d720\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\wow64_microsoft-windows-i..-wow64-setupdll0013_31bf3856ad364e35_6.1.7600.16385_none_4a89ba50c9aa74c6\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\amd64_microsoft-windows-r..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b90767b8f51495f4\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\x86_microsoft-windows-mfaacenc_31bf3856ad364e35_6.1.7600.16385_none_728069eb536e0eed\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vb0a86591#\07804adf0c86039b437649479f7abcd6\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\amd64_microsoft-windows-a..in-native.resources_31bf3856ad364e35_6.1.7600.16385_it-it_0770496cdfab5688\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..layswitch.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a9acf0e7ff47d9c3\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\x86_microsoft-windows-usercpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_95ba074af7bc3755\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-stacking_31bf3856ad364e35_6.1.7600.16385_none_d0d2b98d4629a41f\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\amd64_microsoft-windows-n..ktopology.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c0f2de22c6673991\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sonic-symphonypal_31bf3856ad364e35_6.1.7600.16385_none_cd66bc3541f90a26\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-00020445_31bf3856ad364e35_6.1.7600.16385_none_958e09ee9648353e\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\x86_microsoft-windows-e..epassword.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f916ccdc22ebc0\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\x86_microsoft-windows-h..datalayer.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fb7a94ffd75a432c\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\x86_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_en-us_1aca4d46a08df107\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\x86_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_it-it_a77516706ab8de8c\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\x86_wwf-cwetargets_i_31bf3856ad364e35_6.1.7600.16385_none_a0321d263a2c32b2\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\diagnostics\system\Printer\de-DE\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..tional-codepage-874_31bf3856ad364e35_6.1.7600.16385_none_2aded3dab4e1404c\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\x86_microsoft-windows-m..mdac-odbc-jet-fox32_31bf3856ad364e35_6.1.7600.16385_none_7abaf305f4aaccff\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\x86_microsoft-windows-mspaint.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_eb0d4dfcb28bb286\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..how-other.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2ecd976a5f9ab2d2\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\x86_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7601.17514_de-de_513edc990604dfb2\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\x86_microsoft-windows-m..-logagent.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2587d918e2444ab4\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\x86_microsoft-windows-sud.resources_31bf3856ad364e35_6.1.7600.16385_en-us_55822957c6b71a32\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\x86_microsoft-windows-w..extension.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0f8457cd1f21fd1a\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..in-appmgr.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ca2b3cf998453ed2\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\amd64_microsoft-windows-usbui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9520012288443973\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\amd64_wiabr00a.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_36e20b53c48b5e07\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\x86_microsoft-windows-clip.resources_31bf3856ad364e35_6.1.7600.16385_de-de_504e10234d150ac1\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\assembly\GAC_MSIL\System.EnterpriseServices.resources\2.0.0.0_fr_b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\67215fe430cb12f890a7dc19fd53aa55\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\amd64_machine.inf_31bf3856ad364e35_6.1.7601.17514_none_1838f2aad55063bb\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\amd64_prnrc00b.inf_31bf3856ad364e35_6.1.7600.16385_none_3a88c62811ffe8cd\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\winsxs\amd64_wiaca00d.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9cf3bf463e653b83\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\assembly\GAC_MSIL\System.Web.DynamicData.Design.resources\3.5.0.0_it_31bf3856ad364e35\HOW_TO_DECRYPT.txt HiveRansomware.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv14259fd9#\b6a1466f4c910dd8d83b4592bef36aff\HOW_TO_DECRYPT.txt HiveRansomware.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HiveRansomware.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Delays execution with timeout.exe 64 IoCs
pid Process 1216 timeout.exe 272 timeout.exe 2832 timeout.exe 2792 timeout.exe 1956 timeout.exe 2788 timeout.exe 2752 timeout.exe 888 timeout.exe 2384 timeout.exe 1608 timeout.exe 2044 timeout.exe 2020 timeout.exe 2848 timeout.exe 2744 timeout.exe 1000 timeout.exe 1708 timeout.exe 716 timeout.exe 2228 timeout.exe 2600 timeout.exe 2192 timeout.exe 2716 timeout.exe 2444 timeout.exe 1948 timeout.exe 1968 timeout.exe 1216 timeout.exe 1068 timeout.exe 604 timeout.exe 1860 timeout.exe 2384 timeout.exe 1216 timeout.exe 1988 timeout.exe 2784 timeout.exe 2832 timeout.exe 1872 timeout.exe 2420 timeout.exe 2764 timeout.exe 3040 timeout.exe 1192 timeout.exe 1980 timeout.exe 2032 timeout.exe 568 timeout.exe 2200 timeout.exe 2020 timeout.exe 2672 timeout.exe 2704 timeout.exe 1556 timeout.exe 776 timeout.exe 3052 timeout.exe 2236 timeout.exe 1940 timeout.exe 548 timeout.exe 2076 timeout.exe 2720 timeout.exe 2624 timeout.exe 2688 timeout.exe 2776 timeout.exe 2404 timeout.exe 2928 timeout.exe 1700 timeout.exe 1980 timeout.exe 2024 timeout.exe 2888 timeout.exe 2616 timeout.exe 2444 timeout.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1384 vssadmin.exe -
Modifies registry class 7 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit\command msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx\IconHandler msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command msiexec.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2692 HiveRansomware.exe 1896 msiexec.exe 1896 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeBackupPrivilege 2900 vssvc.exe Token: SeRestorePrivilege 2900 vssvc.exe Token: SeAuditPrivilege 2900 vssvc.exe Token: SeRestorePrivilege 1896 msiexec.exe Token: SeTakeOwnershipPrivilege 1896 msiexec.exe Token: SeSecurityPrivilege 1896 msiexec.exe Token: SeRestorePrivilege 1896 msiexec.exe Token: SeTakeOwnershipPrivilege 1896 msiexec.exe Token: SeRestorePrivilege 1896 msiexec.exe Token: SeTakeOwnershipPrivilege 1896 msiexec.exe Token: SeRestorePrivilege 1896 msiexec.exe Token: SeTakeOwnershipPrivilege 1896 msiexec.exe Token: SeRestorePrivilege 1896 msiexec.exe Token: SeTakeOwnershipPrivilege 1896 msiexec.exe Token: SeRestorePrivilege 1896 msiexec.exe Token: SeTakeOwnershipPrivilege 1896 msiexec.exe Token: SeRestorePrivilege 1896 msiexec.exe Token: SeTakeOwnershipPrivilege 1896 msiexec.exe Token: SeRestorePrivilege 1896 msiexec.exe Token: SeTakeOwnershipPrivilege 1896 msiexec.exe Token: SeRestorePrivilege 1896 msiexec.exe Token: SeTakeOwnershipPrivilege 1896 msiexec.exe Token: SeRestorePrivilege 1896 msiexec.exe Token: SeTakeOwnershipPrivilege 1896 msiexec.exe Token: SeRestorePrivilege 1896 msiexec.exe Token: SeTakeOwnershipPrivilege 1896 msiexec.exe Token: SeRestorePrivilege 1896 msiexec.exe Token: SeTakeOwnershipPrivilege 1896 msiexec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2692 wrote to memory of 2828 2692 HiveRansomware.exe 31 PID 2692 wrote to memory of 2828 2692 HiveRansomware.exe 31 PID 2692 wrote to memory of 2828 2692 HiveRansomware.exe 31 PID 2692 wrote to memory of 2828 2692 HiveRansomware.exe 31 PID 2692 wrote to memory of 3064 2692 HiveRansomware.exe 33 PID 2692 wrote to memory of 3064 2692 HiveRansomware.exe 33 PID 2692 wrote to memory of 3064 2692 HiveRansomware.exe 33 PID 2692 wrote to memory of 3064 2692 HiveRansomware.exe 33 PID 2828 wrote to memory of 3004 2828 cmd.exe 35 PID 2828 wrote to memory of 3004 2828 cmd.exe 35 PID 2828 wrote to memory of 3004 2828 cmd.exe 35 PID 2828 wrote to memory of 3004 2828 cmd.exe 35 PID 3064 wrote to memory of 1384 3064 cmd.exe 36 PID 3064 wrote to memory of 1384 3064 cmd.exe 36 PID 3064 wrote to memory of 1384 3064 cmd.exe 36 PID 3064 wrote to memory of 1384 3064 cmd.exe 36 PID 2828 wrote to memory of 1860 2828 cmd.exe 38 PID 2828 wrote to memory of 1860 2828 cmd.exe 38 PID 2828 wrote to memory of 1860 2828 cmd.exe 38 PID 2828 wrote to memory of 1860 2828 cmd.exe 38 PID 2828 wrote to memory of 2088 2828 cmd.exe 39 PID 2828 wrote to memory of 2088 2828 cmd.exe 39 PID 2828 wrote to memory of 2088 2828 cmd.exe 39 PID 2828 wrote to memory of 2088 2828 cmd.exe 39 PID 2828 wrote to memory of 1980 2828 cmd.exe 40 PID 2828 wrote to memory of 1980 2828 cmd.exe 40 PID 2828 wrote to memory of 1980 2828 cmd.exe 40 PID 2828 wrote to memory of 1980 2828 cmd.exe 40 PID 2828 wrote to memory of 2764 2828 cmd.exe 41 PID 2828 wrote to memory of 2764 2828 cmd.exe 41 PID 2828 wrote to memory of 2764 2828 cmd.exe 41 PID 2828 wrote to memory of 2764 2828 cmd.exe 41 PID 2828 wrote to memory of 2912 2828 cmd.exe 42 PID 2828 wrote to memory of 2912 2828 cmd.exe 42 PID 2828 wrote to memory of 2912 2828 cmd.exe 42 PID 2828 wrote to memory of 2912 2828 cmd.exe 42 PID 2828 wrote to memory of 1708 2828 cmd.exe 43 PID 2828 wrote to memory of 1708 2828 cmd.exe 43 PID 2828 wrote to memory of 1708 2828 cmd.exe 43 PID 2828 wrote to memory of 1708 2828 cmd.exe 43 PID 2828 wrote to memory of 1224 2828 cmd.exe 44 PID 2828 wrote to memory of 1224 2828 cmd.exe 44 PID 2828 wrote to memory of 1224 2828 cmd.exe 44 PID 2828 wrote to memory of 1224 2828 cmd.exe 44 PID 2828 wrote to memory of 1216 2828 cmd.exe 45 PID 2828 wrote to memory of 1216 2828 cmd.exe 45 PID 2828 wrote to memory of 1216 2828 cmd.exe 45 PID 2828 wrote to memory of 1216 2828 cmd.exe 45 PID 2828 wrote to memory of 1700 2828 cmd.exe 46 PID 2828 wrote to memory of 1700 2828 cmd.exe 46 PID 2828 wrote to memory of 1700 2828 cmd.exe 46 PID 2828 wrote to memory of 1700 2828 cmd.exe 46 PID 2828 wrote to memory of 2396 2828 cmd.exe 47 PID 2828 wrote to memory of 2396 2828 cmd.exe 47 PID 2828 wrote to memory of 2396 2828 cmd.exe 47 PID 2828 wrote to memory of 2396 2828 cmd.exe 47 PID 2828 wrote to memory of 2956 2828 cmd.exe 48 PID 2828 wrote to memory of 2956 2828 cmd.exe 48 PID 2828 wrote to memory of 2956 2828 cmd.exe 48 PID 2828 wrote to memory of 2956 2828 cmd.exe 48 PID 2828 wrote to memory of 2784 2828 cmd.exe 49 PID 2828 wrote to memory of 2784 2828 cmd.exe 49 PID 2828 wrote to memory of 2784 2828 cmd.exe 49 PID 2828 wrote to memory of 2784 2828 cmd.exe 49 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\HiveRansomware.exe"C:\Users\Admin\AppData\Local\Temp\HiveRansomware.exe"1⤵
- Drops file in Drivers directory
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\cmd.execmd /c hive.bat >NUL 2>NUL2⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3004
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1860
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2088
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1980
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2764
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2912
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1708
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:1224
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1216
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1700
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2396
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2956
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2784
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2384
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:1732
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3068
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1980
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:1388
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2600
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2024
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2236
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2384
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2856
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:716
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:848
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2892
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2844
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2032
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2076
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2556
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2200
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1608
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1556
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2228
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1216
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:776
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2684
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2888
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:276
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:1280
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2616
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2404
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2024
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2832
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2312
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2624
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3052
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2444
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2044
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:624
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:976
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:1684
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1884
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1216
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2360
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2400
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2944
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:1220
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:272
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2832
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2876
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:604
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2712
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:976
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1948
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2020
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2688
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1068
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2912
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2848
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2924
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1988
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2792
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2404
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2192
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2236
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:1272
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2720
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1948
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:1416
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1940
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2444
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2172
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2744
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2192
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1952
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3040
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1872
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1216
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1424
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2176
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:592
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1092
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2624
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2064
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2516
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2332
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2520
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1968
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2204
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:928
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2716
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2436
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1000
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2848
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:268
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1440
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2236
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:1696
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:1604
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:540
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:568
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3048
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:872
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:604
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:700
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2420
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2020
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1956
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2400
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2500
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2788
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1988
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2752
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:548
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1100
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2960
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2776
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2928
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:888
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1192
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2372
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:1884
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2320
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2672
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:3068
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1924
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2704
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c shadow.bat >NUL 2>NUL2⤵
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:1384
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DC8103CEAD71A400EF5EA4D9245CE7852⤵
- Loads dropped DLL
PID:2804
-
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 7DD04EDF76B2DCA0B7DCD75F42F59EF32⤵
- Loads dropped DLL
PID:1856
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD52ba2353ae59347ff2220c4e6fb8340d4
SHA1a2ee25afa1a570e705adedbd8c20b2915775d078
SHA256d883bc897e2394d073c870e189d8b3707b6ab5abf50bd271c893227da0946d78
SHA5129635a477fdeafb0e274dfd202ce7d1357033c81c5acfaa198a08a124912122099f47251cc47ce59a922d82d895896f5168737ffe37eee9cca12fd45ed5135b27
-
Filesize
182B
MD5b04d4c811903c7edc9e695e603b54edc
SHA1411e5bba4ea1bcc40681535824aa9f77e97a7121
SHA25629e5f50257e9597415e2cc3289e82e7d197ed1071769960167bad1196182f7d0
SHA512733e999f48f11c64e171c9e2791a1845019de857522a0d4bcb9b756dca84b2b7608db2d59801f1353ae9f484962ff781df6f0fb271409b3ee838f3dd37947010
-
Filesize
57B
MD5df5552357692e0cba5e69f8fbf06abb6
SHA14714f1e6bb75a80a8faf69434726d176b70d7bd8
SHA256d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8
SHA512a837555a1175ab515e2b43da9e493ff0ccd4366ee59defe6770327818ca9afa6f3e39ecdf5262b69253aa9e2692283ee8cebc97d58edd42e676977c7f73d143d
-
Filesize
363KB
MD54a843a97ae51c310b573a02ffd2a0e8e
SHA1063fa914ccb07249123c0d5f4595935487635b20
SHA256727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086
SHA512905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2
-
Filesize
148KB
MD533908aa43ac0aaabc06a58d51b1c2cca
SHA10a0d1ce3435abe2eed635481bac69e1999031291
SHA2564447faacefaba8f040822101e2a4103031660de9139e70ecff9aa3a89455a783
SHA512d5216a53df9cfbe1a78629c103286eb17042f639149c46b6a1cd76498531ae82afd265462fbe0ba9baaff275fc95c66504804f107c449f3fc5833b1ed9c3da46
-
Filesize
86KB
MD5ff58cd07bf4913ef899efd2dfb112553
SHA1f14c1681de808543071602f17a6299f8b4ba2ae8
SHA2561afafe9157ff5670bbec8ce622f45d1ce51b3ee77b7348d3a237e232f06c5391
SHA51223e27444b6cdc17fe56f3a80d6325c2be61ae84213bc7cdaad7bb96daa7e8d2d3defc1b96c3cee4a3f32dc464b0e05720bcf1c0e99626bf83de1b6d5aac000a3
-
Filesize
1KB
MD580207d0f8ea42bdfeaf9f5c586230aca
SHA1747481fe2b0b6d81c3b19ba62d1e49eab6a5461f
SHA25625edefb3b0678dfe0d927ff48ce67254359ba379df9468f634d02c026f0e7131
SHA51273f68ce9e98d2346be1762bd54bb06ef83ae939dfbcf9b786d9b773fa454352613387d264b7a87a1c08950226553817bf01f5aa4107bc12de36a1689e2137304
-
Filesize
47KB
MD581e7e920312d372cf57a817049ac7c76
SHA10a2e953f2d8ecdf984532f2d8e3c0264fc079498
SHA256ff9a2e7fe46937b34f8e61f58df1f6108742cce58505f212e8666cb4ab7b74f9
SHA51276530f002a84a791f1b440c1ab57138b8813dc395027e5c02002d67e9c7a72d6e448bbc2f844fd2cfb61259c37d916a6835035bdb442b45814c1d1aab4743a52
-
Filesize
953KB
MD52f4759c23abcd639ac3ca7f8fa9480ac
SHA19a3fece585fa01b7b941e124ead0c39c8ce9bc7c
SHA2566d66fa59407862e0fddfcb36472fe810eb308653321ca0e374ac870f9aa8cec6
SHA5126ab14d6a8d3e9a751d68133e734cc804de2b50a7ef223d484d0f727cdfbd00d48f6e0666c3b86a0daf9ca42c0b726f6c2a088e5bb32c993748abfea7b5904ec6
-
Filesize
257KB
MD5d1f5ce6b23351677e54a245f46a9f8d2
SHA10d5c6749401248284767f16df92b726e727718ca
SHA25657cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc
SHA512960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba
-
Filesize
28KB
MD585221b3bcba8dbe4b4a46581aa49f760
SHA1746645c92594bfc739f77812d67cfd85f4b92474
SHA256f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f
SHA512060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d