hive | 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1

Analysis

max time kernel
169s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2025, 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HiveRansomware.exe
Size

764KB
MD5

2f9fc82898d718f2abe99c4a6fa79e69
SHA1

9d336b8911c8ffd7cc809e31d5b53796bb0cc7bb
SHA256

88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1
SHA512

19f0879b1c54d305ab7a97a0d46ab79c103d4687fe37d5f9ef1934904eea48a1c66b1ac2de3dace6dc0d91623309287044c198cb0b3fc9f8453fbc9d1c0cae8b
SSDEEP

12288:CinNFNkY/yU97ppM4NSBG81Np2C9H4S3iDjlLtc4wCIITIQaOI6NrwacVYV+4MsT:CinN3n/y67jM4v4kCSPDjlLtbwt8IQLH

Score

10^/10

hive credential_access discovery persistence ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\$Recycle.Bin\HOW_TO_DECRYPT.txt

Family

hive

Ransom Note

Your network has been breached and all data is encrypted. To decrypt all the data you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: EQA9oydTxwXS Password: vNtgAgb3kMFmCooANNQr Follow the guidelines below to avoid losing your data: - Do not shutdown or reboot your computers, unmount external storages. - Do not try to decrypt data using third party software. It may cause irreversible damage. - Do not fool yourself. Encryption has perfect secrecy and it's impossible to decrypt without knowing the key. - Do not modify, rename or delete *.key.hive files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to authorities. The negotiation process will be terminated immediately and the key will be erased. - Do not reject to purchase. Your sensitive data will be publicly disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

URLs

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

Signatures

Detects Go variant of Hive Ransomware 18 IoCs

resource	yara_rule
behavioral1/memory/756-15-0x0000000000A60000-0x0000000000CC3000-memory.dmp	hive_go
behavioral1/memory/756-14-0x0000000000A60000-0x0000000000CC3000-memory.dmp	hive_go
behavioral1/memory/756-1763-0x0000000000A60000-0x0000000000CC3000-memory.dmp	hive_go
behavioral1/memory/756-4089-0x0000000000A60000-0x0000000000CC3000-memory.dmp	hive_go
behavioral1/memory/756-5970-0x0000000000A60000-0x0000000000CC3000-memory.dmp	hive_go
behavioral1/memory/756-8626-0x0000000000A60000-0x0000000000CC3000-memory.dmp	hive_go
behavioral1/memory/756-12867-0x0000000000A60000-0x0000000000CC3000-memory.dmp	hive_go
behavioral1/memory/756-16609-0x0000000000A60000-0x0000000000CC3000-memory.dmp	hive_go
behavioral1/memory/756-19673-0x0000000000A60000-0x0000000000CC3000-memory.dmp	hive_go
behavioral1/memory/756-22824-0x0000000000A60000-0x0000000000CC3000-memory.dmp	hive_go
behavioral1/memory/756-22826-0x0000000000A60000-0x0000000000CC3000-memory.dmp	hive_go
behavioral1/memory/756-23164-0x0000000000A60000-0x0000000000CC3000-memory.dmp	hive_go
behavioral1/memory/756-24225-0x0000000000A60000-0x0000000000CC3000-memory.dmp	hive_go
behavioral1/memory/756-24226-0x0000000000A60000-0x0000000000CC3000-memory.dmp	hive_go
behavioral1/memory/756-24227-0x0000000000A60000-0x0000000000CC3000-memory.dmp	hive_go
behavioral1/memory/756-24228-0x0000000000A60000-0x0000000000CC3000-memory.dmp	hive_go
behavioral1/memory/756-24229-0x0000000000A60000-0x0000000000CC3000-memory.dmp	hive_go
behavioral1/memory/756-24234-0x0000000000A60000-0x0000000000CC3000-memory.dmp	hive_go

Hive
A ransomware written in Golang first seen in June 2021.
ransomware hive
Hive family
hive

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Drops file in Drivers directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\drivers\uk-UA\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\drivers\uk-UA\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\HOW_TO_DECRYPT.txt	HiveRansomware.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.55eCSpCPU9YYUn8H5SZ0Hjdm74HNpD5j5MwqtDQkjRk.hive	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	HiveRansomware.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\how_to_decrypt.txt	taskmgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\HOW_TO_DECRYPT.txt	HiveRansomware.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	HiveRansomware.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	HiveRansomware.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	HiveRansomware.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	HiveRansomware.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-925314154-1797147466-1467878628-1000\desktop.ini	HiveRansomware.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	HiveRansomware.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Public\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	HiveRansomware.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-925314154-1797147466-1467878628-1000\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Program Files\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	HiveRansomware.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	HiveRansomware.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	HiveRansomware.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	HiveRansomware.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	HiveRansomware.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	HiveRansomware.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	HiveRansomware.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Com\de-DE\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmarn.inf_amd64_947cdd3822225c16\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ConfigCI\de-DE\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TrustedPlatformModule\ja-JP\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\winrm\0409\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_magneticstripereader.inf_amd64_86e291110e37418b\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnvma.inf_amd64_7080f6b8ea1744fb\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrndis.inf_amd64_be4ba6237d385e2e\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\MUI\0407\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\de-DE\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\Recovery\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\DiagSvcs\fr-FR\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwew00.inf_amd64_325c0bd6349ed81c\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0006\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0007\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BranchCache\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_fscontinuousbackup.inf_amd64_4db9ca877f67dd36\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgl005.inf_amd64_d9886a7bbe9e55ca\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmhzel.inf_amd64_e90a0a4c8e15815d\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvchannel.inf_amd64_ba3e73aa330c95d6\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\001a\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\RasToast\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\ja-JP\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\ko-KR\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_x86_c62e9f8067f98247\I386\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\perceptionsimulationheadset.inf_amd64_47c7e539c0156424\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_LogResource\it-IT\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\ja-JP\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForSome\ja-JP\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\MUI\0C0A\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\Speech\Engines\TTS\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\it-IT\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\en-US\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Professional\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmnis2u.inf_amd64_0c5757ecd1574b3d\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\uefi.inf_amd64_c1628ffa62c8e54c\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\Com\fr-FR\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\Configuration\Schema\MSFT_FileDirectoryConfiguration\uk-UA\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmaiwa5.inf_amd64_8416dd97e1ecb6dc\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\es-MX\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\it-IT\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\WindowsPackageCab\fr-FR\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\oobe\uk-UA\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\Configuration\PartialConfigurations\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\amdi2c.inf_amd64_d7ae71f8eb52c084\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgl003.inf_amd64_6b639ff361f628eb\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netg664.inf_amd64_84cd7b2798e0a666\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ServiceResource\uk-UA\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\fusionv2.inf_amd64_a47d9636ce0d7dab\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\Volume\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hidbatt.inf_amd64_a6fa9bcee39a694f\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netefe3e.inf_amd64_7830581a689ef40d\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\AdvancedInstallers\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\WindowsPackageCab\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\WindowsPackageCab\es-ES\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TrustedPlatformModule\fr-FR\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\Ipmi\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\HOW_TO_DECRYPT.txt	HiveRansomware.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/756-0-0x0000000000A60000-0x0000000000CC3000-memory.dmp	upx
behavioral1/memory/756-15-0x0000000000A60000-0x0000000000CC3000-memory.dmp	upx
behavioral1/memory/756-14-0x0000000000A60000-0x0000000000CC3000-memory.dmp	upx
behavioral1/memory/756-1763-0x0000000000A60000-0x0000000000CC3000-memory.dmp	upx
behavioral1/memory/756-4089-0x0000000000A60000-0x0000000000CC3000-memory.dmp	upx
behavioral1/memory/756-5970-0x0000000000A60000-0x0000000000CC3000-memory.dmp	upx
behavioral1/memory/756-8626-0x0000000000A60000-0x0000000000CC3000-memory.dmp	upx
behavioral1/memory/756-12867-0x0000000000A60000-0x0000000000CC3000-memory.dmp	upx
behavioral1/memory/756-16609-0x0000000000A60000-0x0000000000CC3000-memory.dmp	upx
behavioral1/memory/756-19673-0x0000000000A60000-0x0000000000CC3000-memory.dmp	upx
behavioral1/memory/756-22824-0x0000000000A60000-0x0000000000CC3000-memory.dmp	upx
behavioral1/memory/756-22826-0x0000000000A60000-0x0000000000CC3000-memory.dmp	upx
behavioral1/memory/756-23164-0x0000000000A60000-0x0000000000CC3000-memory.dmp	upx
behavioral1/memory/756-24225-0x0000000000A60000-0x0000000000CC3000-memory.dmp	upx
behavioral1/memory/756-24226-0x0000000000A60000-0x0000000000CC3000-memory.dmp	upx
behavioral1/memory/756-24227-0x0000000000A60000-0x0000000000CC3000-memory.dmp	upx
behavioral1/memory/756-24228-0x0000000000A60000-0x0000000000CC3000-memory.dmp	upx
behavioral1/memory/756-24229-0x0000000000A60000-0x0000000000CC3000-memory.dmp	upx
behavioral1/memory/756-24234-0x0000000000A60000-0x0000000000CC3000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.55eCSpCPU9YYUn8H5SZ0HnFPxv-boNVAdxoa-rw2VAA.hive	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	HiveRansomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pl-pl\PlayStore_icon.svg.55eCSpCPU9YYUn8H5SZ0HmZNPQx6d9c06Tgk-PgJ6SY.hive	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.scale-200.png	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-30_altform-unplated_contrast-white.png	HiveRansomware.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\uk-ua\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.MsuProvider.dll.55eCSpCPU9YYUn8H5SZ0HqR4n3t55L1c2RiQfhbshE0.hive	HiveRansomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\th.pak.55eCSpCPU9YYUn8H5SZ0HgkI847d1m5zvlocbA8N3VQ.hive	HiveRansomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7EN.DLL	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeBadge.scale-150.png	HiveRansomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\ui-strings.js.55eCSpCPU9YYUn8H5SZ0Ht68L1UBdF0H92i95PfLRno.hive	HiveRansomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-time-l1-1-0.dll	HiveRansomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_100_percent.pak.55eCSpCPU9YYUn8H5SZ0HsGCmFZryMNKjbhg6DgG9jI.hive	HiveRansomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\hprof.dll.55eCSpCPU9YYUn8H5SZ0HpOwtP-X2TgJJGtg909SwxE.hive	HiveRansomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\OSFINTL.DLL.55eCSpCPU9YYUn8H5SZ0HkFGp5_8HBYWwrVlMHi35w4.hive	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailWideTile.scale-125.png	HiveRansomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\core_icons_retina.png	HiveRansomware.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe.55eCSpCPU9YYUn8H5SZ0HngZIX7-wnBZIbl2HNNUjws.hive	HiveRansomware.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PowerShell.PackageManagement.resources.dll.55eCSpCPU9YYUn8H5SZ0Htv0JKjJJC8zhPgndw4lKXs.hive	HiveRansomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.dll	HiveRansomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ppd.xrm-ms	HiveRansomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEEXCL.DLL.55eCSpCPU9YYUn8H5SZ0Hopg4xD9jcMjut3DuOgENww.hive	HiveRansomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-phn.xrm-ms.55eCSpCPU9YYUn8H5SZ0Hife3vbirsBRQya-rkNVU0g.hive	HiveRansomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\db2v0801.xsl.55eCSpCPU9YYUn8H5SZ0Hh7qYxTo4Ok_5NsCb7g7D2U.hive	HiveRansomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hu.pak	HiveRansomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeWord.nrr	HiveRansomware.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16_altform-colorize.png	HiveRansomware.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fr-fr\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ja-jp\ui-strings.js.55eCSpCPU9YYUn8H5SZ0Hnj7fisi4mdpOsawZqICP0A.hive	HiveRansomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\css\main-selector.css.55eCSpCPU9YYUn8H5SZ0Hh5BhbLDCfoRxVc7iuucqEU.hive	HiveRansomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\dnsns.jar	HiveRansomware.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Config\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\PesterThrow.Tests.ps1	HiveRansomware.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.dll	HiveRansomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png.55eCSpCPU9YYUn8H5SZ0HjTYpxzEpU0eUCL804SqJH0.hive	HiveRansomware.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Design.resources.dll.55eCSpCPU9YYUn8H5SZ0HnKgRQqYg1FVmZkdQA8Kyj8.hive	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_altform-unplated_contrast-white.png	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll.55eCSpCPU9YYUn8H5SZ0HpgLVj39-DYppIuCTQ-r9kM.hive	HiveRansomware.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms	HiveRansomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOIDRES.DLL	HiveRansomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1XTOR.DLL	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionWideTile.scale-400.png	HiveRansomware.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\cs-cz\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt.55eCSpCPU9YYUn8H5SZ0HsRXl5ECwrs6H5MDyp6TUFY.hive	HiveRansomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightRegular.ttf	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\SmallTile.scale-125.png	HiveRansomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN102.XML.55eCSpCPU9YYUn8H5SZ0HuXJpAg4UrpKSmACQ90ljFg.hive	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\AppxManifest.xml	HiveRansomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\vlc.mo.55eCSpCPU9YYUn8H5SZ0HgMjhl_ZHmJk6fwpdP09ymQ.hive	HiveRansomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\RECOVR32.CNV	HiveRansomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare.HxS.55eCSpCPU9YYUn8H5SZ0HhDEPbEECR0Zt7HskIg0YTs.hive	HiveRansomware.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\Microsoft.VisualBasic.Forms.resources.dll.55eCSpCPU9YYUn8H5SZ0HlHhnEQld-Rpe2hgYZurkRg.hive	HiveRansomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ipcsecproc.dll.55eCSpCPU9YYUn8H5SZ0HmIahdxFx7xVCX9xnTP2S2o.hive	HiveRansomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-150_contrast-black.png	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\images\PaySquare150x150Logo.scale-200.png	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-100.png	HiveRansomware.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ul-oob.xrm-ms	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.scale-100_contrast-black.png	HiveRansomware.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\css\fonts\segoeui_semibold.woff	HiveRansomware.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\wow64_multimedia-voiceactivationmanager_31bf3856ad364e35_10.0.19041.746_none_c97ec87a569d2152\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-s..gstack-boot-onecore_31bf3856ad364e35_10.0.19041.1220_none_6e6ae35b6d51ed8c\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..hangehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_1264b2471f9dae9c\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..confg-rll.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_e9aa26bbe8e1e84a\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..erience-parser-task_31bf3856ad364e35_10.0.19041.1_none_80036e190af52e7c\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wmi-core-fastprox-dll_31bf3856ad364e35_10.0.19041.546_none_d9429a5ad88bee5f\f\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..anup-task.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_4263dfeba94fb6eb\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-userdataaccess-poom_31bf3856ad364e35_10.0.19041.746_none_d17b3fa24d0e8fe6\r\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_system.dynamic.resources_b03f5f7f11d50a3a_4.0.15805.0_fr-fr_3d6845ef3fcdb501\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_wvms_pp.inf.resources_31bf3856ad364e35_10.0.19041.1_de-de_86d5eacbb47bfc29\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\msil_microsoft.security...t.cmdlets.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_54aa693ea123c660\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-appwiz_31bf3856ad364e35_10.0.19041.1_none_cc0bf052faa46ebb\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-xwizards.resources_31bf3856ad364e35_10.0.19041.1_es-es_a648c2acf620a934\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\Speech_OneCore\Engines\Lexicon\it-IT\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_de-de_adbc089469a13870\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-msvpxenc_31bf3856ad364e35_10.0.19041.746_none_3d5a3c2b79ac1cc0\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mmdeviceapi.resources_31bf3856ad364e35_10.0.19041.1_it-it_0a8005036e7b155b\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..anagerdll.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_2869d70b4768a56c\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_msbuild.resources_b03f5f7f11d50a3a_4.0.15805.0_it-it_681d7ce226edc05b\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-fax-mapi_31bf3856ad364e35_10.0.19041.1_none_0fe5bc514ba5e9a1\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-ie-diagnosticshubis_31bf3856ad364e35_11.0.19041.746_none_d581d37b912a7b88\f\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..switch-toasthandler_31bf3856ad364e35_10.0.19041.746_none_a89196e695076787\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..omain-clients-netsh_31bf3856ad364e35_10.0.19041.964_none_d843f661a352ad4b\f\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..iondialog.appxsetup_31bf3856ad364e35_10.0.19041.1_none_a029d8a7ac063705\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-playtostatusprovider_31bf3856ad364e35_10.0.19041.746_none_6cbb6863e18c601f\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-s..ransformers-onecore_31bf3856ad364e35_10.0.19041.262_none_a617ba84a205eb79\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_fidohid.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_bacb60af549a2bd5\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_hyperv-vmsynthnic.resources_31bf3856ad364e35_10.0.19041.1_it-it_8fc1a9a94edec5e8\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..logbroker.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_6f2cd01a516a63c9\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-shutdownux.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d92d9e625ef84d24\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-uiautomationcore_31bf3856ad364e35_10.0.19041.153_none_8e04023da0f60a57\r\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_windows-media-speech-winrt.resources_31bf3856ad364e35_10.0.19041.264_fr-fr_e476c882e67d9457\r\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-credui-onecore_31bf3856ad364e35_10.0.19041.546_none_63a3ce33b6f60c10\f\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_devicepairingproxy.resources_31bf3856ad364e35_10.0.19041.1_en-us_36c84d17b4f5be1d\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..es-picker.resources_31bf3856ad364e35_10.0.19041.1_de-de_bdd2a6fa28f76e8b\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mmdeviceapi.resources_31bf3856ad364e35_10.0.19041.1_es-es_7da098bda477197b\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-pnpsysprep_31bf3856ad364e35_10.0.19041.964_none_1f9f29a915f3a36f\f\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-shell32_31bf3856ad364e35_10.0.19041.153_none_4a14997c70d61386\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_xboxgip.inf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_64d72a1cc49999f6\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-alg.resources_31bf3856ad364e35_10.0.19041.1_it-it_9744f3e875d121e7\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sethc.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_378d006735301292\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_11.0.19041.1202_none_c4b5deacb4dec365\r\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\schemas\Provisioning\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..vel-winrt.resources_31bf3856ad364e35_10.0.19041.1_it-it_de519d58c1a590ae\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..verytools.resources_31bf3856ad364e35_10.0.19041.1_en-us_c4b46b091192e8fe\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w3logsvc_31bf3856ad364e35_10.0.19041.264_none_628fe4443ce5fa46\r\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_netelx.inf.resources_31bf3856ad364e35_10.0.19041.1_de-de_707a87b4d6ea04f1\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_netfx4-netfx45_iis_schema_update_xml_b03f5f7f11d50a3a_4.0.15805.0_none_68359296cafc3efb\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_netnwifi.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_f8c97efa00940c3d\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-wimgapi_31bf3856ad364e35_10.0.19041.84_none_8af369f4775cb563\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\wow64_windows-id-connecte..nt-provider-wlidfdp_31bf3856ad364e35_10.0.19041.1_none_644d2a168b2d4825\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\Branding\Basebrd\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.WriteDiagProgress.Resources\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-appid_31bf3856ad364e35_10.0.19041.1202_none_cc0c3d35675da3a1\r\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..ertransport-network_31bf3856ad364e35_10.0.19041.1_none_a8a8654729b55b6e\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-certutil.resources_31bf3856ad364e35_10.0.19041.1_it-it_12bea38987ba4ee9\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_multimedia-windows-..rotection-playready_31bf3856ad364e35_10.0.19041.1288_none_c581dfb948f68718\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-speechengine-onecore_31bf3856ad364e35_10.0.19041.746_none_c684e135658d03c6\r\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Management.Automation\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1031\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..it-snapin.resources_31bf3856ad364e35_10.0.19041.1_en-us_60d0ba296fb2847b\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..ssettings.resources_31bf3856ad364e35_10.0.19041.1_it-it_8bc81a769e7f7d21\HOW_TO_DECRYPT.txt	HiveRansomware.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..vider-dll.resources_31bf3856ad364e35_10.0.19041.1_es-es_b3b0ed14fe40ccd3\HOW_TO_DECRYPT.txt	HiveRansomware.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Delays execution with timeout.exe 64 IoCs

defense_evasion

pid	Process
936	timeout.exe
2776	timeout.exe
4348	timeout.exe
964	timeout.exe
1144	timeout.exe
1436	timeout.exe
2480	timeout.exe
1560	timeout.exe
1480	timeout.exe
3520	timeout.exe
4356	timeout.exe
936	timeout.exe
508	timeout.exe
3584	timeout.exe
3272	timeout.exe
1744	timeout.exe
1332	timeout.exe
5096	timeout.exe
5036	timeout.exe
2952	timeout.exe
4700	timeout.exe
4520	timeout.exe
4524	timeout.exe
1744	timeout.exe
464	timeout.exe
1620	timeout.exe
4160	timeout.exe
4160	timeout.exe
5060	timeout.exe
4848	timeout.exe
4608	timeout.exe
3432	timeout.exe
3080	timeout.exe
3792	timeout.exe
1680	timeout.exe
964	timeout.exe
5028	timeout.exe
3856	timeout.exe
5104	timeout.exe
4232	timeout.exe
1704	timeout.exe
3732	timeout.exe
544	timeout.exe
5060	timeout.exe
1600	timeout.exe
1104	timeout.exe
4612	timeout.exe
1384	timeout.exe
2804	timeout.exe
2040	timeout.exe
4284	timeout.exe
3896	timeout.exe
1504	timeout.exe
1772	timeout.exe
648	timeout.exe
1000	timeout.exe
4044	timeout.exe
4152	timeout.exe
4356	timeout.exe
2804	timeout.exe
4416	timeout.exe
2040	timeout.exe
1016	timeout.exe
4772	timeout.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-925314154-1797147466-1467878628-1000\{456A4CF2-15CF-4ABD-948A-75FAEBA59F8B}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
756	HiveRansomware.exe
756	HiveRansomware.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	528	taskmgr.exe
Token: SeSystemProfilePrivilege	528	taskmgr.exe
Token: SeCreateGlobalPrivilege	528	taskmgr.exe
Token: SeShutdownPrivilege	3184	explorer.exe
Token: SeCreatePagefilePrivilege	3184	explorer.exe
Token: SeShutdownPrivilege	3184	explorer.exe
Token: SeCreatePagefilePrivilege	3184	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe
528	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 2940	756	HiveRansomware.exe	100
PID 756 wrote to memory of 2940	756	HiveRansomware.exe	100
PID 756 wrote to memory of 2940	756	HiveRansomware.exe	100
PID 756 wrote to memory of 2208	756	HiveRansomware.exe	101
PID 756 wrote to memory of 2208	756	HiveRansomware.exe	101
PID 756 wrote to memory of 2208	756	HiveRansomware.exe	101
PID 2940 wrote to memory of 3792	2940	cmd.exe	104
PID 2940 wrote to memory of 3792	2940	cmd.exe	104
PID 2940 wrote to memory of 3792	2940	cmd.exe	104
PID 2940 wrote to memory of 1560	2940	cmd.exe	105
PID 2940 wrote to memory of 1560	2940	cmd.exe	105
PID 2940 wrote to memory of 1560	2940	cmd.exe	105
PID 2940 wrote to memory of 544	2940	cmd.exe	106
PID 2940 wrote to memory of 544	2940	cmd.exe	106
PID 2940 wrote to memory of 544	2940	cmd.exe	106
PID 2940 wrote to memory of 2344	2940	cmd.exe	107
PID 2940 wrote to memory of 2344	2940	cmd.exe	107
PID 2940 wrote to memory of 2344	2940	cmd.exe	107
PID 2940 wrote to memory of 5032	2940	cmd.exe	108
PID 2940 wrote to memory of 5032	2940	cmd.exe	108
PID 2940 wrote to memory of 5032	2940	cmd.exe	108
PID 2940 wrote to memory of 4516	2940	cmd.exe	109
PID 2940 wrote to memory of 4516	2940	cmd.exe	109
PID 2940 wrote to memory of 4516	2940	cmd.exe	109
PID 2940 wrote to memory of 396	2940	cmd.exe	110
PID 2940 wrote to memory of 396	2940	cmd.exe	110
PID 2940 wrote to memory of 396	2940	cmd.exe	110
PID 2940 wrote to memory of 2276	2940	cmd.exe	111
PID 2940 wrote to memory of 2276	2940	cmd.exe	111
PID 2940 wrote to memory of 2276	2940	cmd.exe	111
PID 2940 wrote to memory of 1900	2940	cmd.exe	112
PID 2940 wrote to memory of 1900	2940	cmd.exe	112
PID 2940 wrote to memory of 1900	2940	cmd.exe	112
PID 2940 wrote to memory of 1652	2940	cmd.exe	113
PID 2940 wrote to memory of 1652	2940	cmd.exe	113
PID 2940 wrote to memory of 1652	2940	cmd.exe	113
PID 2940 wrote to memory of 1772	2940	cmd.exe	114
PID 2940 wrote to memory of 1772	2940	cmd.exe	114
PID 2940 wrote to memory of 1772	2940	cmd.exe	114
PID 2940 wrote to memory of 1104	2940	cmd.exe	115
PID 2940 wrote to memory of 1104	2940	cmd.exe	115
PID 2940 wrote to memory of 1104	2940	cmd.exe	115
PID 2940 wrote to memory of 3472	2940	cmd.exe	116
PID 2940 wrote to memory of 3472	2940	cmd.exe	116
PID 2940 wrote to memory of 3472	2940	cmd.exe	116
PID 2940 wrote to memory of 1480	2940	cmd.exe	117
PID 2940 wrote to memory of 1480	2940	cmd.exe	117
PID 2940 wrote to memory of 1480	2940	cmd.exe	117
PID 2940 wrote to memory of 4328	2940	cmd.exe	118
PID 2940 wrote to memory of 4328	2940	cmd.exe	118
PID 2940 wrote to memory of 4328	2940	cmd.exe	118
PID 2940 wrote to memory of 2040	2940	cmd.exe	119
PID 2940 wrote to memory of 2040	2940	cmd.exe	119
PID 2940 wrote to memory of 2040	2940	cmd.exe	119
PID 2940 wrote to memory of 5036	2940	cmd.exe	121
PID 2940 wrote to memory of 5036	2940	cmd.exe	121
PID 2940 wrote to memory of 5036	2940	cmd.exe	121
PID 2940 wrote to memory of 1404	2940	cmd.exe	123
PID 2940 wrote to memory of 1404	2940	cmd.exe	123
PID 2940 wrote to memory of 1404	2940	cmd.exe	123
PID 2940 wrote to memory of 4344	2940	cmd.exe	125
PID 2940 wrote to memory of 4344	2940	cmd.exe	125
PID 2940 wrote to memory of 4344	2940	cmd.exe	125
PID 2940 wrote to memory of 4644	2940	cmd.exe	126

C:\Users\Admin\AppData\Local\Temp\HiveRansomware.exe
"C:\Users\Admin\AppData\Local\Temp\HiveRansomware.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c hive.bat >NUL 2>NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3792
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1560
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:544
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2344
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:5032
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4516
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:396
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1772
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1104
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3472
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1480
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4328
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2040
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:5036
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4344
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4644
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:936
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3272
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4160
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1652
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3504
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4160
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3184
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4424
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3892
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1680
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3080
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1744
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3528
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:5060
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1000
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2804
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4880
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4848
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:936
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:5028
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2776
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4044
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4508
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4396
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3856
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4836
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:5060
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4968
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1816
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:648
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1272
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1020
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4608
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:5104
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:836
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2952
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:964
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4176
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2592
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4348
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4700
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4212
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4520
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4152
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3432
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4524
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:5008
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4532
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1600
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1104
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4608
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1620
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4184
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4232
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:964
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1332
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4356
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4612
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1144
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2096
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2164
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1436
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4768
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4892
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2040
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4284
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3520
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3016
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3684
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4104
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4744
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1628
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1744
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3868
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4396
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2408
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1876
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1016
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2156
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4072
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4992
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4772
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:508
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:632
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2552
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4028
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1704
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3356
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4356
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4612
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:1144
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2804
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4568
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1384
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4416
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3896
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:4160
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3068
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:464
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3208
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1504
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:5096
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:908
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3976
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4212
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2480
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2848
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5032
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2420
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3732
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4944
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3584
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:220
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:3620
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4968
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    PID:880
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1000
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c shadow.bat >NUL 2>NUL
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2208

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:528

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\HOW_TO_DECRYPT.txt

Filesize
1KB

MD5
80207d0f8ea42bdfeaf9f5c586230aca

SHA1
747481fe2b0b6d81c3b19ba62d1e49eab6a5461f

SHA256
25edefb3b0678dfe0d927ff48ce67254359ba379df9468f634d02c026f0e7131

SHA512
73f68ce9e98d2346be1762bd54bb06ef83ae939dfbcf9b786d9b773fa454352613387d264b7a87a1c08950226553817bf01f5aa4107bc12de36a1689e2137304

Download Submit
C:\$Recycle.Bin\S-1-5-21-925314154-1797147466-1467878628-1000\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.55eCSpCPU9YYUn8H5SZ0Hm8kxranko8mjiOmRvY3mD0.hive

Filesize
622KB

MD5
876d87ab5ef0c55103ada10156ce97cf

SHA1
369373152770e2dfea2393e2df9d65ca5ab59fce

SHA256
9daa16d54b4a2d56c526b96c2f76eb1acabe9bc31b5f7a0ce9818f91aead8f07

SHA512
648028373122727abfcb9ecbb5a8a30ac2a36d3363a180a5f320348fe3ff04f10140e4afb32a8f5ca6e9c2133b3ea99e3d2695faa3749e55065cfb3a5612182f

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.55eCSpCPU9YYUn8H5SZ0HmMs_sgl2bFeHuCijgc5kVc.hive

Filesize
174B

MD5
c774cbadb4e9e574bbbf66670a5db0f0

SHA1
66d66b89e0e788ad4093b4c89cbc2b8ea5d27655

SHA256
6dd7d2fb4c71b2ad60e6959a6fbc40fd1440d9e9efb321dde67f2a95678f221f

SHA512
db15ff8c5605f99cc6c1d6aa5c458dffe47a4090c3ff3aab10327c10829d47cc4af14e73cf319effc0d0fb9f062a943939544f185a4b9cf283524a72dd23714f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\hive.bat

Filesize
182B

MD5
b04d4c811903c7edc9e695e603b54edc

SHA1
411e5bba4ea1bcc40681535824aa9f77e97a7121

SHA256
29e5f50257e9597415e2cc3289e82e7d197ed1071769960167bad1196182f7d0

SHA512
733e999f48f11c64e171c9e2791a1845019de857522a0d4bcb9b756dca84b2b7608db2d59801f1353ae9f484962ff781df6f0fb271409b3ee838f3dd37947010

Download Submit
C:\Users\Admin\AppData\Local\Temp\shadow.bat

Filesize
57B

MD5
df5552357692e0cba5e69f8fbf06abb6

SHA1
4714f1e6bb75a80a8faf69434726d176b70d7bd8

SHA256
d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8

SHA512
a837555a1175ab515e2b43da9e493ff0ccd4366ee59defe6770327818ca9afa6f3e39ecdf5262b69253aa9e2692283ee8cebc97d58edd42e676977c7f73d143d

Download Submit
memory/528-8-0x000002359B390000-0x000002359B391000-memory.dmp

Filesize
4KB

Download
memory/528-12-0x000002359B390000-0x000002359B391000-memory.dmp

Filesize
4KB

Download
memory/528-3-0x000002359B390000-0x000002359B391000-memory.dmp

Filesize
4KB

Download
memory/528-2-0x000002359B390000-0x000002359B391000-memory.dmp

Filesize
4KB

Download
memory/528-7-0x000002359B390000-0x000002359B391000-memory.dmp

Filesize
4KB

Download
memory/528-9-0x000002359B390000-0x000002359B391000-memory.dmp

Filesize
4KB

Download
memory/528-10-0x000002359B390000-0x000002359B391000-memory.dmp

Filesize
4KB

Download
memory/528-11-0x000002359B390000-0x000002359B391000-memory.dmp

Filesize
4KB

Download
memory/528-1-0x000002359B390000-0x000002359B391000-memory.dmp

Filesize
4KB

Download
memory/528-13-0x000002359B390000-0x000002359B391000-memory.dmp

Filesize
4KB

Download
memory/756-12867-0x0000000000A60000-0x0000000000CC3000-memory.dmp

Filesize
2.4MB

Download
memory/756-19673-0x0000000000A60000-0x0000000000CC3000-memory.dmp

Filesize
2.4MB

Download
memory/756-5970-0x0000000000A60000-0x0000000000CC3000-memory.dmp

Filesize
2.4MB

Download
memory/756-4089-0x0000000000A60000-0x0000000000CC3000-memory.dmp

Filesize
2.4MB

Download
memory/756-1763-0x0000000000A60000-0x0000000000CC3000-memory.dmp

Filesize
2.4MB

Download
memory/756-0-0x0000000000A60000-0x0000000000CC3000-memory.dmp

Filesize
2.4MB

Download
memory/756-16609-0x0000000000A60000-0x0000000000CC3000-memory.dmp

Filesize
2.4MB

Download
memory/756-14-0x0000000000A60000-0x0000000000CC3000-memory.dmp

Filesize
2.4MB

Download
memory/756-15-0x0000000000A60000-0x0000000000CC3000-memory.dmp

Filesize
2.4MB

Download
memory/756-8626-0x0000000000A60000-0x0000000000CC3000-memory.dmp

Filesize
2.4MB

Download
memory/756-22824-0x0000000000A60000-0x0000000000CC3000-memory.dmp

Filesize
2.4MB

Download
memory/756-22826-0x0000000000A60000-0x0000000000CC3000-memory.dmp

Filesize
2.4MB

Download
memory/756-23164-0x0000000000A60000-0x0000000000CC3000-memory.dmp

Filesize
2.4MB

Download
memory/756-24225-0x0000000000A60000-0x0000000000CC3000-memory.dmp

Filesize
2.4MB

Download
memory/756-24226-0x0000000000A60000-0x0000000000CC3000-memory.dmp

Filesize
2.4MB

Download
memory/756-24227-0x0000000000A60000-0x0000000000CC3000-memory.dmp

Filesize
2.4MB

Download
memory/756-24228-0x0000000000A60000-0x0000000000CC3000-memory.dmp

Filesize
2.4MB

Download
memory/756-24229-0x0000000000A60000-0x0000000000CC3000-memory.dmp

Filesize
2.4MB

Download
memory/756-24234-0x0000000000A60000-0x0000000000CC3000-memory.dmp

Filesize
2.4MB

Download