hive | 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1

Analysis

max time kernel
150s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2025, 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HiveRansomware.exe
Size

764KB
MD5

2f9fc82898d718f2abe99c4a6fa79e69
SHA1

9d336b8911c8ffd7cc809e31d5b53796bb0cc7bb
SHA256

88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1
SHA512

19f0879b1c54d305ab7a97a0d46ab79c103d4687fe37d5f9ef1934904eea48a1c66b1ac2de3dace6dc0d91623309287044c198cb0b3fc9f8453fbc9d1c0cae8b
SSDEEP

12288:CinNFNkY/yU97ppM4NSBG81Np2C9H4S3iDjlLtc4wCIITIQaOI6NrwacVYV+4MsT:CinN3n/y67jM4v4kCSPDjlLtbwt8IQLH

Score

10^/10

hive credential_access discovery persistence ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\$Recycle.Bin\HOW_TO_DECRYPT.txt

Family

hive

Ransom Note

Your network has been breached and all data is encrypted. To decrypt all the data you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: EQA9oydTxwXS Password: vNtgAgb3kMFmCooANNQr Follow the guidelines below to avoid losing your data: - Do not shutdown or reboot your computers, unmount external storages. - Do not try to decrypt data using third party software. It may cause irreversible damage. - Do not fool yourself. Encryption has perfect secrecy and it's impossible to decrypt without knowing the key. - Do not modify, rename or delete *.key.hive files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to authorities. The negotiation process will be terminated immediately and the key will be erased. - Do not reject to purchase. Your sensitive data will be publicly disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

URLs

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

Signatures

Detects Go variant of Hive Ransomware 15 IoCs

resource	yara_rule
behavioral2/memory/3760-1-0x0000000000520000-0x0000000000783000-memory.dmp	hive_go
behavioral2/memory/3760-2-0x0000000000520000-0x0000000000783000-memory.dmp	hive_go
behavioral2/memory/3760-2515-0x0000000000520000-0x0000000000783000-memory.dmp	hive_go
behavioral2/memory/3760-4666-0x0000000000520000-0x0000000000783000-memory.dmp	hive_go
behavioral2/memory/3760-6853-0x0000000000520000-0x0000000000783000-memory.dmp	hive_go
behavioral2/memory/3760-10567-0x0000000000520000-0x0000000000783000-memory.dmp	hive_go
behavioral2/memory/3760-15874-0x0000000000520000-0x0000000000783000-memory.dmp	hive_go
behavioral2/memory/3760-19727-0x0000000000520000-0x0000000000783000-memory.dmp	hive_go
behavioral2/memory/3760-22874-0x0000000000520000-0x0000000000783000-memory.dmp	hive_go
behavioral2/memory/3760-22875-0x0000000000520000-0x0000000000783000-memory.dmp	hive_go
behavioral2/memory/3760-23185-0x0000000000520000-0x0000000000783000-memory.dmp	hive_go
behavioral2/memory/3760-24274-0x0000000000520000-0x0000000000783000-memory.dmp	hive_go
behavioral2/memory/3760-24275-0x0000000000520000-0x0000000000783000-memory.dmp	hive_go
behavioral2/memory/3760-24276-0x0000000000520000-0x0000000000783000-memory.dmp	hive_go
behavioral2/memory/3760-24277-0x0000000000520000-0x0000000000783000-memory.dmp	hive_go

Hive
A ransomware written in Golang first seen in June 2021.
ransomware hive
Hive family
hive

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Drops file in Drivers directory 20 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\es-ES\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\drivers\uk-UA\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\drivers\uk-UA\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\HOW_TO_DECRYPT.txt	HiveRansomware.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	HiveRansomware.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.WbcTxAPxA19RHktypwNtt1WxYaIW8-Rys-HpP1xZzQs.hive	HiveRansomware.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	HiveRansomware.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	HiveRansomware.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2593460650-190333679-3676257533-1000\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	HiveRansomware.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	HiveRansomware.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	HiveRansomware.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	HiveRansomware.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	HiveRansomware.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	HiveRansomware.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	HiveRansomware.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2593460650-190333679-3676257533-1000\desktop.ini	HiveRansomware.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	HiveRansomware.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	HiveRansomware.exe
File opened for modification	C:\Program Files\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Public\desktop.ini	HiveRansomware.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	HiveRansomware.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sv-SE\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\InstallShield\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\microsoft_bluetooth_a2dp.inf_amd64_614ec8e6e63777b7\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSwitchTeam\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmfj2.inf_amd64_167948d0c94abc27\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wsdscdrv.inf_amd64_416a5877e9180787\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\SMI\Store\Machine\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\WCN\ja-JP\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\Temp\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\001b\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetConnection\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ServiceResource\es-ES\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\en-US\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\hr-HR\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\uk-UA\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Host\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\ServiceSet\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ialpss2i_gpio2_cnl.inf_amd64_a60833fda31e9831\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmsii64.inf_amd64_0f02175b17cd3f66\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\pmem.inf_amd64_acec109593aed940\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\Speech\Engines\SR\de-DE\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_7f701cb29b5389d3\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\Configuration\Schema\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\WCN\uk-UA\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\wbem\fr\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_scmvolume.inf_amd64_de693592afe8a496\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_LogResource\en-US\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\fr\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\slmgr\0C0A\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_camera.inf_amd64_7b52a9607d24ece6\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Professional\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hidir.inf_amd64_7bf4a320e4ec8b3d\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ucmucsiacpiclient.inf_amd64_a233292790c69f03\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\002d\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\WindowsPackageCab\en-US\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_holographic.inf_amd64_6ab9629b23deb837\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\WindowsPackageCab\ja-JP\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmaus.inf_amd64_f9b71b1d9c8643e2\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgatew.inf_amd64_7e6c377859cfcb7c\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAll\uk-UA\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_ucm.inf_amd64_c30468a947db0fa8\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net44amd.inf_amd64_450d4b1e35cc8e0d\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbhub3.inf_amd64_6a68abcc31aaa333\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\fr-FR\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\Configuration\Registration\MSFT_FileDirectoryConfiguration\fr-FR\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\es-ES\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmlucnt.inf_amd64_f4769cb994ece833\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Dism\de\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TrustedPlatformModule\es-ES\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\sl-SI\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\Speech\SpeechUX\uk-UA\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\oobe\es-ES\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\uk-UA\Licenses\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\wbem\ja-JP\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmtdkj7.inf_amd64_161e1375bcff85d9\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\sdfrd.inf_amd64_25779da6eca4810a\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\MUI\0410\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\Volume\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\lsi_sss.inf_amd64_503a2398f4c86893\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmcm28.inf_amd64_4b833c2630a2a287\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_magneticstripereader.inf_amd64_86e291110e37418b\HOW_TO_DECRYPT.txt	HiveRansomware.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3760-0-0x0000000000520000-0x0000000000783000-memory.dmp	upx
behavioral2/memory/3760-1-0x0000000000520000-0x0000000000783000-memory.dmp	upx
behavioral2/memory/3760-2-0x0000000000520000-0x0000000000783000-memory.dmp	upx
behavioral2/memory/3760-2515-0x0000000000520000-0x0000000000783000-memory.dmp	upx
behavioral2/memory/3760-4666-0x0000000000520000-0x0000000000783000-memory.dmp	upx
behavioral2/memory/3760-6853-0x0000000000520000-0x0000000000783000-memory.dmp	upx
behavioral2/memory/3760-10567-0x0000000000520000-0x0000000000783000-memory.dmp	upx
behavioral2/memory/3760-15874-0x0000000000520000-0x0000000000783000-memory.dmp	upx
behavioral2/memory/3760-19727-0x0000000000520000-0x0000000000783000-memory.dmp	upx
behavioral2/memory/3760-22874-0x0000000000520000-0x0000000000783000-memory.dmp	upx
behavioral2/memory/3760-22875-0x0000000000520000-0x0000000000783000-memory.dmp	upx
behavioral2/memory/3760-23185-0x0000000000520000-0x0000000000783000-memory.dmp	upx
behavioral2/memory/3760-24274-0x0000000000520000-0x0000000000783000-memory.dmp	upx
behavioral2/memory/3760-24275-0x0000000000520000-0x0000000000783000-memory.dmp	upx
behavioral2/memory/3760-24276-0x0000000000520000-0x0000000000783000-memory.dmp	upx
behavioral2/memory/3760-24277-0x0000000000520000-0x0000000000783000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationTypes.dll	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionWideTile.scale-100.png	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-20_altform-unplated.png	HiveRansomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_sk.dll	HiveRansomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Locales\ga.pak.DATA	HiveRansomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\tmapi_xl.dll	HiveRansomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.WbcTxAPxA19RHktypwNtt4u-0KDJpT4kzlDvz90mWmA.hive	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageSmallTile.scale-400.png	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-48.png	HiveRansomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\iexplore.exe.mui	HiveRansomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-pl.xrm-ms	HiveRansomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1CORE.DLL	HiveRansomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Pages_R_RHP.aapp.WbcTxAPxA19RHktypwNtt80NYuJ5YIpPi-zSSA14My0.hive	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-16.png	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\DeleteToastQuickAction.scale-80.png	HiveRansomware.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\nb-no\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Locales\ur.pak	HiveRansomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\ui-strings.js.WbcTxAPxA19RHktypwNttzHDs6TfS4dWCtSnxxg0XUc.hive	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\2px.png	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.targetsize-32.png	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\LargeTile.scale-200.png	HiveRansomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ui-strings.js	HiveRansomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ppd.xrm-ms	HiveRansomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\liveleak.luac	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\mrt_map.dll	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\AppxMetadata\CodeIntegrity.cat	HiveRansomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\STSUPLD.INTL.DLL.WbcTxAPxA19RHktypwNtt4pVbau7yyE6d5CEWTkorlA.hive	HiveRansomware.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.dll.WbcTxAPxA19RHktypwNtt-N07ruzByMdIrti9XYbN0o.hive	HiveRansomware.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\fr-FR\MSFT_PackageManagementSource.schema.mfl.WbcTxAPxA19RHktypwNtt8PpICrSKhpPgMVElfzzFEw.hive	HiveRansomware.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\msvcp140_2.dll.WbcTxAPxA19RHktypwNtt19gGe31VKk7mtYRhiA47TY.hive	HiveRansomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\vscroll-thumb.png	HiveRansomware.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	HiveRansomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\kn.pak	HiveRansomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PPT_WHATSNEW.XML.WbcTxAPxA19RHktypwNttyrDQZgCGJ4cm-QP6HGGwgw.hive	HiveRansomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-100.png.WbcTxAPxA19RHktypwNtt-58TMf0PPJGALf7rDlvx1M.hive	HiveRansomware.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF.WbcTxAPxA19RHktypwNtt3xLqE_t3c5OPSWSx-R_vlM.hive	HiveRansomware.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-MX\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Program Files (x86)\Internet Explorer\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchSmallTile.contrast-white_scale-125.png	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	HiveRansomware.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\AppxMetadata\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-il\ui-strings.js	HiveRansomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\kk.pak.DATA.WbcTxAPxA19RHktypwNtt0sc1zAZnUY_PeE_jTZDzi4.hive	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-64.png	HiveRansomware.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsBase.resources.dll	HiveRansomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\am_get.svg.WbcTxAPxA19RHktypwNttxJncA_GOFFvVi8KHbMZ-CA.hive	HiveRansomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ppd.xrm-ms	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Square71x71Logo.scale-100.png	HiveRansomware.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Requests.dll	HiveRansomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.WbcTxAPxA19RHktypwNtt9eKZRpMKNZnXx8mGP5USlw.hive	HiveRansomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso98win32client.dll	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\Silhouette.png	HiveRansomware.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.dll.WbcTxAPxA19RHktypwNtt9KnUhrwgn4-vm6sBUumD0E.hive	HiveRansomware.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.CSharp.dll.WbcTxAPxA19RHktypwNtt70T8HvJy-sk6Atim894RCI.hive	HiveRansomware.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll	HiveRansomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\ant-javafx.jar	HiveRansomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-oob.xrm-ms.WbcTxAPxA19RHktypwNtt6uf_Qh6jYVeT-3tNhObfgg.hive	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_altform-unplated_contrast-black.png	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-32.png	HiveRansomware.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Xaml.resources.dll	HiveRansomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_radio_selected_18.svg.WbcTxAPxA19RHktypwNtt1ctfQ3OTGQpOccTtfwzbzM.hive	HiveRansomware.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_d41f26718364aca2\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mapcontrol_31bf3856ad364e35_10.0.19041.264_none_f136bcd869745605\f\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mountpointmanager_31bf3856ad364e35_10.0.19041.1_none_a8893249a6634a0f\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..icysnapin.resources_31bf3856ad364e35_10.0.19041.1_es-es_9a3a07531f42a1ea\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-r..component.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d3082114fc553477\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_system.net.http.webrequest.resources_b03f5f7f11d50a3a_4.0.15805.0_ja-jp_3836d7ee464fc17d\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_dual_wsynth3dvsp.inf_31bf3856ad364e35_10.0.19041.928_none_9d4cae4ff863dc9a\f\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_lltdio.inf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_cfdc26668f63c597\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-chkwudrv_31bf3856ad364e35_10.0.19041.1_none_3d0cf44cd5467f9b\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-srdelayed_31bf3856ad364e35_10.0.19041.1_none_0c4e6556fb852148\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-i..itiator_service_mof_31bf3856ad364e35_10.0.19041.1_none_69b31686898b623a\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\wow64_microsoft.windows.winhttpcom_31bf3856ad364e35_5.1.19041.1151_none_90fbce7e9cbb300b\f\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ity-vault.resources_31bf3856ad364e35_10.0.19041.1_en-us_a880d85aa9a30b29\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..-tlsbrand.resources_31bf3856ad364e35_10.0.19041.1_es-es_d313d84f97daf433\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft.build.resources_b03f5f7f11d50a3a_4.0.15805.0_es-es_6e0586b4cc70ebc5\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-propsys_31bf3856ad364e35_7.0.19041.1023_none_aef517a235fd01bd\f\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-ie-imagesupport_31bf3856ad364e35_11.0.19041.1_none_cbb8b5ac44e86ec9\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.WorkflowServices.resources\v4.0_4.0.0.0_es_31bf3856ad364e35\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..atibility.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_527d3b02de635918\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a...appxmain.resources_31bf3856ad364e35_10.0.19041.1_en-us_336daaaf7b798f62\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-l..lperclass.resources_31bf3856ad364e35_10.0.19041.1_en-us_f3b35eaa1de83a35\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ntlanman_31bf3856ad364e35_10.0.19041.1151_none_a4e12ad497c9c10b\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..tworklocationflyout_31bf3856ad364e35_10.0.19041.1_none_cc52efdbb756619b\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-usercpl.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_d35b1adf70e84e97\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wlanpref.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_d4c62a7fb4e8f808\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_system.directoryservices.resources_b03f5f7f11d50a3a_4.0.15805.0_es-es_9464669fbebb956f\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-n..mplatform.resources_31bf3856ad364e35_10.0.19041.1_es-es_5cc4aabfb52f3098\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.resources\v4.0_10.0.0.0_es_31bf3856ad364e35\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ional-codepage-core_31bf3856ad364e35_10.0.19041.1_none_ecc5d2879c840ab0\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-internal-bluetooth_31bf3856ad364e35_10.0.19041.153_none_5393ecd0063f2e3d\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wincal-adm.resources_31bf3856ad364e35_10.0.19041.1_de-de_22a5bf7f6e8f08b4\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-netcorehelperclasses_31bf3856ad364e35_10.0.19041.746_none_ca76331610b1c6ac\f\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_it-it_05ff04e5d71bfd5f\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Data.Services.Client.Resources\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\diagnostics\system\PCW\en-US\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..schema-desktopshell_31bf3856ad364e35_10.0.19041.746_none_1f940fc5d879e586\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-eventlog-forwardplugin_31bf3856ad364e35_10.0.19041.1_none_2b5b36de8d376f2c\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-powershell-message_31bf3856ad364e35_10.0.19041.1_none_e3360589d7c26a88\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-inputswitch_31bf3856ad364e35_10.0.19041.964_none_ce4363029435f532\r\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-security-spp-ux_31bf3856ad364e35_10.0.19041.1202_none_dad675f788694b0e\f\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.Cryptography.Algorithms\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_ro-ro_6bff4a7f0ff97122\f\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\wow64_microsoft-gaming-ga..rnal-presencewriter_31bf3856ad364e35_10.0.19041.1_none_c26c8624c595ae48\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_aspnet_compiler.resources_b03f5f7f11d50a3a_4.0.15805.0_ja-jp_820a2b123d73238f\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..stant-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b7a348870cfdf15f\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..ectortool.resources_31bf3856ad364e35_10.0.19041.1_it-it_b85d4aee59c7ac79\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-f..utilityexfatlibrary_31bf3856ad364e35_10.0.19041.1023_none_9ed71b6af364d7b2\r\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..gement-ui.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_7d98d4a95367c283\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-smbserver-v2_31bf3856ad364e35_10.0.19041.153_none_b7d8080d5555d98d\f\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet_webadmin_res_res_b03f5f7f11d50a3a_10.0.19041.1_none_75268b2c3414b354\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_dual_wnetvsc.inf_31bf3856ad364e35_10.0.19041.928_none_9e1aff160f29d829\r\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..necoreuap.resources_31bf3856ad364e35_10.0.19041.117_en-us_0f4e5cc52b2ff016\r\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-f..overy-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_03a48f2d72a0f6b0\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hal-events-container_31bf3856ad364e35_10.0.19041.1_none_dc3655c7fbc74cb6\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-pnpsysprep.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b5df105892a9782a\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..laboration-rdpencom_31bf3856ad364e35_10.0.19041.746_none_6d582c4fb817442e\r\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_multipoint-powershell-multipointvdi_31bf3856ad364e35_10.0.19041.1_none_33f6f3d8c0e72c08\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_system.web.entity.resources_b77a5c561934e089_4.0.15805.0_fr-fr_20443b224f765bf1\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_fdssdp_31bf3856ad364e35_10.0.19041.746_none_18d73d63d30da626\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ispbroker.resources_31bf3856ad364e35_10.0.19041.1_es-es_6bf546ea536d7478\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-l..volume-professional_31bf3856ad364e35_10.0.19041.1288_none_9c7ade98abb671d1\HOW_TO_DECRYPT.txt	HiveRansomware.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 64 IoCs

defense_evasion

pid	Process
1756	timeout.exe
1312	timeout.exe
1960	timeout.exe
2348	timeout.exe
4392	timeout.exe
4716	timeout.exe
4392	timeout.exe
2120	timeout.exe
3964	timeout.exe
2884	timeout.exe
3956	timeout.exe
3352	timeout.exe
3360	timeout.exe
4244	timeout.exe
5092	timeout.exe
1920	timeout.exe
4520	timeout.exe
1996	timeout.exe
1604	timeout.exe
2912	timeout.exe
4316	timeout.exe
4296	timeout.exe
4136	timeout.exe
4384	timeout.exe
844	timeout.exe
4540	timeout.exe
4404	timeout.exe
4436	timeout.exe
4936	timeout.exe
3268	timeout.exe
4580	timeout.exe
4180	timeout.exe
2388	timeout.exe
5104	timeout.exe
4048	timeout.exe
1808	timeout.exe
4932	timeout.exe
3756	timeout.exe
3532	timeout.exe
3576	timeout.exe
412	timeout.exe
164	timeout.exe
1944	timeout.exe
5064	timeout.exe
5068	timeout.exe
2600	timeout.exe
2380	timeout.exe
4352	timeout.exe
4716	timeout.exe
5068	timeout.exe
4972	timeout.exe
4352	timeout.exe
3028	timeout.exe
4468	timeout.exe
384	timeout.exe
4076	timeout.exe
2440	timeout.exe
1916	timeout.exe
1856	timeout.exe
4732	timeout.exe
3864	timeout.exe
2104	timeout.exe
4272	timeout.exe
4432	timeout.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2593460650-190333679-3676257533-1000\{8A8514D5-39ED-47C8-85B6-63F609595F02}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3760	HiveRansomware.exe
3760	HiveRansomware.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	388	explorer.exe
Token: SeCreatePagefilePrivilege	388	explorer.exe
Token: SeShutdownPrivilege	388	explorer.exe
Token: SeCreatePagefilePrivilege	388	explorer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
388	explorer.exe
388	explorer.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
388	explorer.exe
388	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3760 wrote to memory of 5044	3760	HiveRansomware.exe	97
PID 3760 wrote to memory of 5044	3760	HiveRansomware.exe	97
PID 3760 wrote to memory of 5044	3760	HiveRansomware.exe	97
PID 3760 wrote to memory of 3180	3760	HiveRansomware.exe	98
PID 3760 wrote to memory of 3180	3760	HiveRansomware.exe	98
PID 3760 wrote to memory of 3180	3760	HiveRansomware.exe	98
PID 5044 wrote to memory of 644	5044	cmd.exe	101
PID 5044 wrote to memory of 644	5044	cmd.exe	101
PID 5044 wrote to memory of 644	5044	cmd.exe	101
PID 5044 wrote to memory of 4244	5044	cmd.exe	102
PID 5044 wrote to memory of 4244	5044	cmd.exe	102
PID 5044 wrote to memory of 4244	5044	cmd.exe	102
PID 5044 wrote to memory of 2380	5044	cmd.exe	103
PID 5044 wrote to memory of 2380	5044	cmd.exe	103
PID 5044 wrote to memory of 2380	5044	cmd.exe	103
PID 5044 wrote to memory of 3956	5044	cmd.exe	104
PID 5044 wrote to memory of 3956	5044	cmd.exe	104
PID 5044 wrote to memory of 3956	5044	cmd.exe	104
PID 5044 wrote to memory of 4180	5044	cmd.exe	105
PID 5044 wrote to memory of 4180	5044	cmd.exe	105
PID 5044 wrote to memory of 4180	5044	cmd.exe	105
PID 5044 wrote to memory of 4520	5044	cmd.exe	106
PID 5044 wrote to memory of 4520	5044	cmd.exe	106
PID 5044 wrote to memory of 4520	5044	cmd.exe	106
PID 5044 wrote to memory of 5064	5044	cmd.exe	107
PID 5044 wrote to memory of 5064	5044	cmd.exe	107
PID 5044 wrote to memory of 5064	5044	cmd.exe	107
PID 5044 wrote to memory of 1960	5044	cmd.exe	108
PID 5044 wrote to memory of 1960	5044	cmd.exe	108
PID 5044 wrote to memory of 1960	5044	cmd.exe	108
PID 5044 wrote to memory of 4352	5044	cmd.exe	109
PID 5044 wrote to memory of 4352	5044	cmd.exe	109
PID 5044 wrote to memory of 4352	5044	cmd.exe	109
PID 5044 wrote to memory of 3908	5044	cmd.exe	110
PID 5044 wrote to memory of 3908	5044	cmd.exe	110
PID 5044 wrote to memory of 3908	5044	cmd.exe	110
PID 5044 wrote to memory of 888	5044	cmd.exe	111
PID 5044 wrote to memory of 888	5044	cmd.exe	111
PID 5044 wrote to memory of 888	5044	cmd.exe	111
PID 5044 wrote to memory of 3268	5044	cmd.exe	112
PID 5044 wrote to memory of 3268	5044	cmd.exe	112
PID 5044 wrote to memory of 3268	5044	cmd.exe	112
PID 5044 wrote to memory of 2280	5044	cmd.exe	113
PID 5044 wrote to memory of 2280	5044	cmd.exe	113
PID 5044 wrote to memory of 2280	5044	cmd.exe	113
PID 5044 wrote to memory of 4380	5044	cmd.exe	114
PID 5044 wrote to memory of 4380	5044	cmd.exe	114
PID 5044 wrote to memory of 4380	5044	cmd.exe	114
PID 5044 wrote to memory of 3352	5044	cmd.exe	115
PID 5044 wrote to memory of 3352	5044	cmd.exe	115
PID 5044 wrote to memory of 3352	5044	cmd.exe	115
PID 5044 wrote to memory of 2228	5044	cmd.exe	116
PID 5044 wrote to memory of 2228	5044	cmd.exe	116
PID 5044 wrote to memory of 2228	5044	cmd.exe	116
PID 5044 wrote to memory of 2388	5044	cmd.exe	117
PID 5044 wrote to memory of 2388	5044	cmd.exe	117
PID 5044 wrote to memory of 2388	5044	cmd.exe	117
PID 5044 wrote to memory of 4580	5044	cmd.exe	119
PID 5044 wrote to memory of 4580	5044	cmd.exe	119
PID 5044 wrote to memory of 4580	5044	cmd.exe	119
PID 5044 wrote to memory of 1996	5044	cmd.exe	120
PID 5044 wrote to memory of 1996	5044	cmd.exe	120
PID 5044 wrote to memory of 1996	5044	cmd.exe	120
PID 5044 wrote to memory of 4404	5044	cmd.exe	121

C:\Users\Admin\AppData\Local\Temp\HiveRansomware.exe
"C:\Users\Admin\AppData\Local\Temp\HiveRansomware.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c hive.bat >NUL 2>NUL
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:644
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4244
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2380
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3956
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4180
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4520
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:5064
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1960
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4352
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3908
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:888
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3268
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2280
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4380
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3352
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2228
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2388
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4580
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1996
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4404
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1444
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3864
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:788
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3232
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4180
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4732
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1604
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2912
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3184
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:384
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2348
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4392
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4716
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3500
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:844
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4444
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2940
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:5104
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1552
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4716
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2104
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4316
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4076
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:5068
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3360
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4392
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4972
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4756
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1856
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2600
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4468
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3912
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2664
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4732
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1756
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4540
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2120
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4072
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1376
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4048
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4404
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4628
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3944
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1268
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4272
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3532
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:392
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2644
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1752
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1944
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4520
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:5068
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3964
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4480
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4352
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4708
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1320
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4436
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2884
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4248
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4312
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4432
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1840
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4932
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4188
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4176
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:5064
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3124
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4264
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4296
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4308
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2644
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3880
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3576
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4540
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:696
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4600
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1312
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4068
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5104
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1808
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2440
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4404
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4128
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:412
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4244
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4408
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1320
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3980
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3732
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3756
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:164
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:5092
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1916
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:672
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:668
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3924
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4136
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:5084
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:856
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4384
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3028
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1856
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4980
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4724
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4000
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3472
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4732
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1920
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c shadow.bat >NUL 2>NUL
  2⤵
  PID:3180

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\HOW_TO_DECRYPT.txt

Filesize
1KB

MD5
80207d0f8ea42bdfeaf9f5c586230aca

SHA1
747481fe2b0b6d81c3b19ba62d1e49eab6a5461f

SHA256
25edefb3b0678dfe0d927ff48ce67254359ba379df9468f634d02c026f0e7131

SHA512
73f68ce9e98d2346be1762bd54bb06ef83ae939dfbcf9b786d9b773fa454352613387d264b7a87a1c08950226553817bf01f5aa4107bc12de36a1689e2137304

Download Submit
C:\$Recycle.Bin\S-1-5-21-2593460650-190333679-3676257533-1000\desktop.ini

Filesize
129B

MD5
c90b188a44f9565f0cb1b04c979a6a1e

SHA1
3c803fac44d8b021a59bfb91fd1418aa167c42e2

SHA256
803ed939abf940494406b22aa2dcf244c2c632c5ed1e97fd2ca96a1cebc5ce2a

SHA512
0d13ccd9e38e528448db830b5170a211912572b3c8bc110090183e9c9c948884ea3fa8d52d768db59f13ba37fdaed9ed9da511a975987cfe720373c9170cd23f

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.WbcTxAPxA19RHktypwNtt9rxY0emvVxEPt3t05eDJ2E.hive

Filesize
622KB

MD5
6464592b77321c1e7f2c71d88407afe8

SHA1
adc74fb425e2b2c323b1bde036b63a0aab4a9b98

SHA256
846bf9ed14dc892f5a2e910300fa8fa3f82875f23c64dff2d61435dcdcd5b513

SHA512
bdad0f296ca8680bd8497ac4301b2d71adad4b967e7c84e0224324def4001030ee8e5e22683c621ffed3f3b453206b8fe940f7be90be1dc458fc90b16c467bee

Download Submit
C:\Users\Admin\AppData\Local\Temp\hive.bat

Filesize
182B

MD5
b04d4c811903c7edc9e695e603b54edc

SHA1
411e5bba4ea1bcc40681535824aa9f77e97a7121

SHA256
29e5f50257e9597415e2cc3289e82e7d197ed1071769960167bad1196182f7d0

SHA512
733e999f48f11c64e171c9e2791a1845019de857522a0d4bcb9b756dca84b2b7608db2d59801f1353ae9f484962ff781df6f0fb271409b3ee838f3dd37947010

Download Submit
C:\Users\Admin\AppData\Local\Temp\shadow.bat

Filesize
57B

MD5
df5552357692e0cba5e69f8fbf06abb6

SHA1
4714f1e6bb75a80a8faf69434726d176b70d7bd8

SHA256
d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8

SHA512
a837555a1175ab515e2b43da9e493ff0ccd4366ee59defe6770327818ca9afa6f3e39ecdf5262b69253aa9e2692283ee8cebc97d58edd42e676977c7f73d143d

Download Submit
memory/3760-10567-0x0000000000520000-0x0000000000783000-memory.dmp

Filesize
2.4MB

Download
memory/3760-1-0x0000000000520000-0x0000000000783000-memory.dmp

Filesize
2.4MB

Download
memory/3760-2515-0x0000000000520000-0x0000000000783000-memory.dmp

Filesize
2.4MB

Download
memory/3760-4666-0x0000000000520000-0x0000000000783000-memory.dmp

Filesize
2.4MB

Download
memory/3760-6853-0x0000000000520000-0x0000000000783000-memory.dmp

Filesize
2.4MB

Download
memory/3760-0-0x0000000000520000-0x0000000000783000-memory.dmp

Filesize
2.4MB

Download
memory/3760-15874-0x0000000000520000-0x0000000000783000-memory.dmp

Filesize
2.4MB

Download
memory/3760-2-0x0000000000520000-0x0000000000783000-memory.dmp

Filesize
2.4MB

Download
memory/3760-19727-0x0000000000520000-0x0000000000783000-memory.dmp

Filesize
2.4MB

Download
memory/3760-22874-0x0000000000520000-0x0000000000783000-memory.dmp

Filesize
2.4MB

Download
memory/3760-22875-0x0000000000520000-0x0000000000783000-memory.dmp

Filesize
2.4MB

Download
memory/3760-23185-0x0000000000520000-0x0000000000783000-memory.dmp

Filesize
2.4MB

Download
memory/3760-24274-0x0000000000520000-0x0000000000783000-memory.dmp

Filesize
2.4MB

Download
memory/3760-24275-0x0000000000520000-0x0000000000783000-memory.dmp

Filesize
2.4MB

Download
memory/3760-24276-0x0000000000520000-0x0000000000783000-memory.dmp

Filesize
2.4MB

Download
memory/3760-24277-0x0000000000520000-0x0000000000783000-memory.dmp

Filesize
2.4MB

Download