Analysis
-
max time kernel
149s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
12-08-2024 07:07
Behavioral task
behavioral1
Sample
2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe
Resource
win7-20240729-en
windows7-x64
22 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
20 signatures
150 seconds
General
-
Target
2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe
-
Size
2.2MB
-
MD5
61a8fc763aa8bfdb1e43001566bcfce7
-
SHA1
b65880c2c590b3d2f736bf2818be923214a6efe5
-
SHA256
8d797c2e404f3162c836020500b99c524deedabfc4770ee54fd9e0ea8bfd2ef4
-
SHA512
5c39fb96e97dd7291b55b3d16ca0b0521e391369aa639801054e1011b11b3680ec2374dac8b2447677a23bf480c4b2014bb90442f0e8afe1b298c08650d14823
-
SSDEEP
24576:lm8bqgR8VT8P5ZmUbFJnDoaY3azzKSP/OFvIxJH92ZK86EqDh8YCJjiraf4oAV/j:v73h3P/4K81TjasiXCUVnjU1HO1
Malware Config
Extracted
Path
F:\$RECYCLE.BIN\S-1-5-21-2257386474-3982792636-3902186748-1000\HOW_TO_DECRYPT.txt
Family
hive
Ransom Note
Your network has been breached and all data is encrypted.
To decrypt all the data you will need to purchase our decryption software.
Please contact our sales department at:
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Login: EQA9oydTxwXS
Password: vNtgAgb3kMFmCooANNQr
Follow the guidelines below to avoid losing your data:
- Do not shutdown or reboot your computers, unmount external storages.
- Do not try to decrypt data using third party software. It may cause irreversible damage.
- Do not fool yourself. Encryption has perfect secrecy and it's impossible to decrypt without knowing the key.
- Do not modify, rename or delete *.key.hive files. Your data will be undecryptable.
- Do not modify or rename encrypted files. You will lose them.
- Do not report to authorities. The negotiation process will be terminated immediately and the key will be erased.
- Do not reject to purchase. Your sensitive data will be publicly disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
URLs
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
Signatures
-
Hive
A ransomware written in Golang first seen in June 2021.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops file in Drivers directory 28 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\UMDF\fr-FR\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\drivers\de-DE\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\drivers\UMDF\ja-JP\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\drivers\es-ES\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\es-ES\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\drivers\UMDF\es-ES\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\drivers\UMDF\it-IT\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\de-DE\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\drivers\UMDF\de-DE\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\ja-JP\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\drivers\it-IT\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\drivers\ja-JP\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\it-IT\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\drivers\fr-FR\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\fr-FR\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.ShwZ6WJy548J_h8yyu0J49jFm8hbUWIlxWShfXccchE.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe -
Loads dropped DLL 15 IoCs
pid Process 1708 MsiExec.exe 1708 MsiExec.exe 1708 MsiExec.exe 1708 MsiExec.exe 2060 msiexec.exe 2060 msiexec.exe 2060 msiexec.exe 2060 msiexec.exe 1708 MsiExec.exe 1708 MsiExec.exe 1708 MsiExec.exe 1708 MsiExec.exe 2060 msiexec.exe 2060 msiexec.exe 2260 MsiExec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\Saved Games\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2257386474-3982792636-3902186748-1000\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Public\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2257386474-3982792636-3902186748-1000\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9T8FF531\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Public\Music\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\XTGPLCO4\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\58RB03GZ\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\24PZRJVZ\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Public\Videos\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\Links\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\Music\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\winrm\0C0A\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\ja-JP\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_neutral_9fe8503f82ce60fa\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\migwiz\PostMigRes\Web\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\winrm\0411\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\ProfessionalN\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\en-US\Licenses\eval\HomeBasicN\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\StarterN\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmnttd6.inf_amd64_neutral_ce587aa61510da51\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\prnep005.inf_amd64_neutral_f2fbc5759618d8fb\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\wialx003.inf_amd64_neutral_db618863f9347f9a\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\de-DE\Licenses\_Default\StarterN\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\es\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\prngt004.inf_amd64_neutral_f5bf8a7ba9dfff55\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx00y.inf_amd64_neutral_977318f2317f5ddd\Amd64\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\wiaep002.inf_amd64_neutral_0a982dec66379cb0\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\ja-JP\Licenses\eval\HomePremiumN\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\Dism\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\prnca00x.inf_amd64_neutral_eb0842aa932d01ee\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\hpoa1ss.inf_amd64_neutral_8cae09a2238d64e0\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\IME\imekr8\dicts\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\de-DE\Licenses\eval\Starter\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\agp.inf_amd64_neutral_22cdceb61fbafb43\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_neutral_f935002f367d5bb0\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-RasServer-MigPlugin\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\en-US\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\OEM\EnterpriseE\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\bthspp.inf_amd64_neutral_1b15060bdfbd09e1\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx002.inf_amd64_neutral_12563574abbc36eb\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\MUI\0C0A\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\com\es-ES\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmtdkj2.inf_amd64_neutral_0cf7696e2236ca4e\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\prnle004.inf_amd64_neutral_beb9bf23b7202bff\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\prnok302.inf_amd64_ja-jp_708c81a8b0ad8846\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\prnrc002.inf_amd64_neutral_fdb6f2e252435905\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\Speech\Engines\SR\ja-JP\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\migwiz\de-DE\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_neutral_ea1c8215e52777a6\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\GroupPolicyUsers\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\zh-TW\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\LogFiles\WUDF\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\en-US\Licenses\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\ph3xibc12.inf_amd64_neutral_ff7295ba5a46d63f\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\en-US\Licenses\OEM\Enterprise\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\EnterpriseE\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\it-IT\Licenses\_Default\HomePremiumN\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\circlass.inf_amd64_neutral_cf52485bed804e02\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\winrm\040C\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\InstallShield\setupdir\002d\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\000b\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\_Default\Professional\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomePremiumN\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\0014\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\XPSViewer\fr-FR\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\bg-BG\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\oobe\it-IT\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\catroot\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmneuhs.inf_amd64_neutral_d1563e8412461eea\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\NDF\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\com\ja-JP\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\prnkm005.inf_amd64_neutral_c03c9e328608873e\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Games\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-6 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_zh_CN.jar.ShwZ6WJy548J_h8yyu0J468uUANK_PZZuEYCT2A6ijw.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01146_.WMF.ShwZ6WJy548J_h8yyu0J43NauM2RKDwVN--V08CrN14.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196364.WMF.ShwZ6WJy548J_h8yyu0J41gzDdf-3N185mTL6RTxjQE.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WITHCOMP.XML.ShwZ6WJy548J_h8yyu0J46a-bST4CPcz9kVlI9zChQQ.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Program Files\Common Files\System\ado\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SettingsInternal.zip.ShwZ6WJy548J_h8yyu0J45KCNS2wcyNwOIjkU4Yp3AU.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\RSSFeeds.css 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5.ShwZ6WJy548J_h8yyu0J46J0HPOzdoJPUfpEM52IrzI.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\CollectSignatures_Init.xsn 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl.css.ShwZ6WJy548J_h8yyu0J43uhs058YfAjk6y_AUGnpEc.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Oslo 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\THMBNAIL.PNG.ShwZ6WJy548J_h8yyu0J48-V7gq5dj0icb4-zRxVX1s.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN01165_.WMF 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pohnpei 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.PH.XML 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLR.SAM.ShwZ6WJy548J_h8yyu0J4-z6cdAzqwsQl7YQhgq9kgI.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Chagos 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\45.png 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml.ShwZ6WJy548J_h8yyu0J49kxtWRROB8u4_SZ-iRehGw.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosecolor.gif 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_h.png 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR50F.GIF 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Curacao.ShwZ6WJy548J_h8yyu0J4-wPQaC_JXxbSt0rxk9K7hw.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_setid_plugin.dll 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105306.WMF 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.GIF 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libx26410b_plugin.dll.ShwZ6WJy548J_h8yyu0J463sYHYyf1tNapsXVJYNlS8.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09662_.WMF.ShwZ6WJy548J_h8yyu0J4-VZllAK8thrN2-3UeSi-Hg.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImagesMask.bmp.ShwZ6WJy548J_h8yyu0J4365FxpWeUVHsHFF9Es8Vjk.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cambridge_Bay.ShwZ6WJy548J_h8yyu0J49ULrcDoW9pudWR4Z7D6CSs.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\micaut.dll.mui 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\BCSAddin.dll 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\POSTCARD.XML.ShwZ6WJy548J_h8yyu0J4-RimdLlb2FdfZiienh_EzQ.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationTypes.resources.dll 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsFormsIntegration.resources.dll 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\THMBNAIL.PNG.ShwZ6WJy548J_h8yyu0J43CYtSxWj0ls-eE2RPMxTXA.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML.ShwZ6WJy548J_h8yyu0J4yOM9Sc6zXJUWE-9aJQ-DWI.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0089992.WMF 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSORES.DLL 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-modules.jar 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_dot.png 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00441_.WMF 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImages.jpg 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck\TAB_OFF.GIF 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot.png 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll.ShwZ6WJy548J_h8yyu0J40WmyMHs6tZk75XrqV9GYkA.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansRegular.ttf 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02263_.WMF.ShwZ6WJy548J_h8yyu0J45gf6ksfnUx32OOiaLwc9VQ.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00685_.WMF.ShwZ6WJy548J_h8yyu0J44XEc0vRNIIuKi_yt93TMCA.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Prague 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl.png 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe.ShwZ6WJy548J_h8yyu0J4_ORhN6rPlIK9Qm2a3-7wGY.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8734fb86705288a7\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3125fd6a3924d681\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_microsoft-windows-photoviewer_31bf3856ad364e35_6.1.7601.17514_none_3a6490abe657c371\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6a299e36a85d5b1b\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data.OracleC#\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_microsoft-windows-e..eady_eula.resources_31bf3856ad364e35_6.1.7600.16385_it-it_227e33fb04382aa3\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_microsoft-windows-installer-sip_31bf3856ad364e35_6.1.7600.16385_none_8f24baa231f55486\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..tore-main.resources_31bf3856ad364e35_6.1.7601.17514_de-de_35a4614663a7b4fa\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_mdmetech.inf_31bf3856ad364e35_6.1.7600.16385_none_9c62e005b58d9ebb\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_microsoft-windows-dhcp-client-dll_31bf3856ad364e35_6.1.7601.17514_none_35802f0f452f59bb\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ie-ratings.resources_31bf3856ad364e35_8.0.7600.16385_es-es_d037c2581aa0b073\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\msil_windowsbase.resources_31bf3856ad364e35_6.1.7600.16385_es-es_60bc40423cedbf89\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\x86_microsoft-windows-usercpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_22077c9ec2092eae\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_microsoft-windows-help-netwpr.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1c5c6f2d9b25af0b\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_pcmcia.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2704f2b7c177fbfc\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_prnrc002.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b7033beebab86c06\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\x86_microsoft-windows-s..-whitebox.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c6b7009fc64943a1\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\x86_microsoft-windows-v..skservice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_446a057940cb5482\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_bda.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bf3a8c35a61e35fb\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-00010410_31bf3856ad364e35_6.1.7600.16385_none_e5e3bc0570c2f284\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources\1.0.0.0_it_31bf3856ad364e35\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..in-gpedit.resources_31bf3856ad364e35_6.1.7600.16385_it-it_edce3777ee340f46\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..rtmonitor.resources_31bf3856ad364e35_6.1.7600.16385_it-it_2fc20d555b85e7a6\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-0001042f_31bf3856ad364e35_6.1.7600.16385_none_082ad34395bec29a\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\wow64_microsoft-windows-mediaplayer-autoplay_31bf3856ad364e35_6.1.7601.17514_none_8375605f8afb0c19\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\x86_netfx35cdf-cdf_sql_files_31bf3856ad364e35_6.1.7600.16385_none_a203944b32daa861\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_iirsp2.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_918cd071ea809e06\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..-logagent.resources_31bf3856ad364e35_6.1.7600.16385_es-es_deeefe9da7cfa588\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..nvservice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c9f660d22efb4b98\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\x86_microsoft-windows-proquota.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2d7fdadc9967052b\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_keyboard.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b96e0b6743553aaf\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..mostfiles.resources_31bf3856ad364e35_8.0.7600.16385_de-de_e46461da0fb83666\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_microsoft-windows-wmi-mofinstaller_31bf3856ad364e35_6.1.7600.16385_none_6e1250e34571b3f3\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\assembly\GAC_MSIL\System.Data.Services.Design.resources\3.5.0.0_es_b77a5c561934e089\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_microsoft-windows-winbio.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f79b126d0518f4d5\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\XsdBuildTask\c9c1aec84139cedbfe3731aa316c0ad1\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_et-ee_fb8ea11c9d488af6\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_microsoft-windows-rpc-ping.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0942432b28e40740\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_microsoft-windows-uiribbon.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_cbf8792bf6df54c7\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources\6.1.0.0_de_31bf3856ad364e35\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_microsoft-windows-help-vidclip.resources_31bf3856ad364e35_6.1.7600.16385_es-es_161ef265fcdeb2b4\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..tional-codepage-866_31bf3856ad364e35_6.1.7600.16385_none_2adda600b4e25a37\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..k-msctfui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a1fadc375bbe80e8\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..ltinstall.resources_31bf3856ad364e35_6.1.7600.16385_it-it_997c76c65575e3a0\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..ssmanager.resources_31bf3856ad364e35_6.1.7600.16385_es-es_df30ea2c57d47f4a\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..ovidermof.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9cacca735c1fcead\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\x86_microsoft-windows-cdosys.resources_31bf3856ad364e35_6.1.7601.17514_en-us_625234d72032220f\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\inf\TermService\040C\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\servicing\en-US\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_microsoft-windows-b..relevated.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8410814594fed146\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..ces-theme.resources_31bf3856ad364e35_6.1.7600.16385_de-de_850100436cc18a89\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\msil_system.speech.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9511f676e4656831\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2260a04d0daf0ce1\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_microsoft-windows-cleanmgr.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b9cb6194b257cc63\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_microsoft-windows-deskmon.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a06db0f4d325aec9\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..-driver-thunking-32_31bf3856ad364e35_6.1.7600.16385_none_8043cdd7733b9536\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\Microsoft.NET\Framework64\1031\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_microsoft-windows-a..ore-other.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e9e04fcc9fefe1f5\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_microsoft-windows-powercfg.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2772236176fd0992\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\amd64_prnep00c.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_07c3f3a24fef0937\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\x86_microsoft-windows-w..ccore-api.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d63091e39681e95\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\winsxs\x86_microsoft-windows-t..nputpanel.resources_31bf3856ad364e35_6.1.7600.16385_de-de_53fa798e0f569ac9\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\inf\UGatherer\0409\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Delays execution with timeout.exe 64 IoCs
pid Process 2556 timeout.exe 2180 timeout.exe 2180 timeout.exe 3040 timeout.exe 3020 timeout.exe 3032 timeout.exe 532 timeout.exe 2956 timeout.exe 2564 timeout.exe 2600 timeout.exe 1272 timeout.exe 2324 timeout.exe 1360 timeout.exe 1420 timeout.exe 2584 timeout.exe 1276 timeout.exe 2184 timeout.exe 352 timeout.exe 604 timeout.exe 448 timeout.exe 752 timeout.exe 3040 timeout.exe 976 timeout.exe 1556 timeout.exe 1496 timeout.exe 332 timeout.exe 3060 timeout.exe 2688 timeout.exe 2356 timeout.exe 2152 timeout.exe 2428 timeout.exe 2644 timeout.exe 2896 timeout.exe 2936 timeout.exe 1928 timeout.exe 2472 timeout.exe 3016 timeout.exe 1844 timeout.exe 1560 timeout.exe 2632 timeout.exe 1944 timeout.exe 2392 timeout.exe 2100 timeout.exe 1592 timeout.exe 1444 timeout.exe 1484 timeout.exe 2552 timeout.exe 1728 timeout.exe 928 timeout.exe 1876 timeout.exe 2976 timeout.exe 2520 timeout.exe 2424 timeout.exe 2556 timeout.exe 2184 timeout.exe 2344 timeout.exe 2300 timeout.exe 2676 timeout.exe 832 timeout.exe 1568 timeout.exe 2304 timeout.exe 2420 timeout.exe 744 timeout.exe 2540 timeout.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2540 vssadmin.exe -
Modifies registry class 7 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit\command msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx\IconHandler msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon msiexec.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2000 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe 2060 msiexec.exe 2060 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeBackupPrivilege 1236 vssvc.exe Token: SeRestorePrivilege 1236 vssvc.exe Token: SeAuditPrivilege 1236 vssvc.exe Token: SeRestorePrivilege 2060 msiexec.exe Token: SeTakeOwnershipPrivilege 2060 msiexec.exe Token: SeSecurityPrivilege 2060 msiexec.exe Token: SeRestorePrivilege 2060 msiexec.exe Token: SeTakeOwnershipPrivilege 2060 msiexec.exe Token: SeRestorePrivilege 2060 msiexec.exe Token: SeTakeOwnershipPrivilege 2060 msiexec.exe Token: SeRestorePrivilege 2060 msiexec.exe Token: SeTakeOwnershipPrivilege 2060 msiexec.exe Token: SeRestorePrivilege 2060 msiexec.exe Token: SeTakeOwnershipPrivilege 2060 msiexec.exe Token: SeRestorePrivilege 2060 msiexec.exe Token: SeTakeOwnershipPrivilege 2060 msiexec.exe Token: SeRestorePrivilege 2060 msiexec.exe Token: SeTakeOwnershipPrivilege 2060 msiexec.exe Token: SeRestorePrivilege 2060 msiexec.exe Token: SeTakeOwnershipPrivilege 2060 msiexec.exe Token: SeRestorePrivilege 2060 msiexec.exe Token: SeTakeOwnershipPrivilege 2060 msiexec.exe Token: SeRestorePrivilege 2060 msiexec.exe Token: SeTakeOwnershipPrivilege 2060 msiexec.exe Token: SeRestorePrivilege 2060 msiexec.exe Token: SeTakeOwnershipPrivilege 2060 msiexec.exe Token: SeRestorePrivilege 2060 msiexec.exe Token: SeTakeOwnershipPrivilege 2060 msiexec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2000 wrote to memory of 2792 2000 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe 30 PID 2000 wrote to memory of 2792 2000 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe 30 PID 2000 wrote to memory of 2792 2000 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe 30 PID 2000 wrote to memory of 2792 2000 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe 30 PID 2000 wrote to memory of 2116 2000 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe 32 PID 2000 wrote to memory of 2116 2000 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe 32 PID 2000 wrote to memory of 2116 2000 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe 32 PID 2000 wrote to memory of 2116 2000 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe 32 PID 2116 wrote to memory of 2540 2116 cmd.exe 34 PID 2116 wrote to memory of 2540 2116 cmd.exe 34 PID 2116 wrote to memory of 2540 2116 cmd.exe 34 PID 2116 wrote to memory of 2540 2116 cmd.exe 34 PID 2792 wrote to memory of 2584 2792 cmd.exe 35 PID 2792 wrote to memory of 2584 2792 cmd.exe 35 PID 2792 wrote to memory of 2584 2792 cmd.exe 35 PID 2792 wrote to memory of 2584 2792 cmd.exe 35 PID 2792 wrote to memory of 532 2792 cmd.exe 37 PID 2792 wrote to memory of 532 2792 cmd.exe 37 PID 2792 wrote to memory of 532 2792 cmd.exe 37 PID 2792 wrote to memory of 532 2792 cmd.exe 37 PID 2792 wrote to memory of 2556 2792 cmd.exe 38 PID 2792 wrote to memory of 2556 2792 cmd.exe 38 PID 2792 wrote to memory of 2556 2792 cmd.exe 38 PID 2792 wrote to memory of 2556 2792 cmd.exe 38 PID 2792 wrote to memory of 3040 2792 cmd.exe 39 PID 2792 wrote to memory of 3040 2792 cmd.exe 39 PID 2792 wrote to memory of 3040 2792 cmd.exe 39 PID 2792 wrote to memory of 3040 2792 cmd.exe 39 PID 2792 wrote to memory of 2548 2792 cmd.exe 40 PID 2792 wrote to memory of 2548 2792 cmd.exe 40 PID 2792 wrote to memory of 2548 2792 cmd.exe 40 PID 2792 wrote to memory of 2548 2792 cmd.exe 40 PID 2792 wrote to memory of 1528 2792 cmd.exe 41 PID 2792 wrote to memory of 1528 2792 cmd.exe 41 PID 2792 wrote to memory of 1528 2792 cmd.exe 41 PID 2792 wrote to memory of 1528 2792 cmd.exe 41 PID 2792 wrote to memory of 960 2792 cmd.exe 42 PID 2792 wrote to memory of 960 2792 cmd.exe 42 PID 2792 wrote to memory of 960 2792 cmd.exe 42 PID 2792 wrote to memory of 960 2792 cmd.exe 42 PID 2792 wrote to memory of 2688 2792 cmd.exe 43 PID 2792 wrote to memory of 2688 2792 cmd.exe 43 PID 2792 wrote to memory of 2688 2792 cmd.exe 43 PID 2792 wrote to memory of 2688 2792 cmd.exe 43 PID 2792 wrote to memory of 2344 2792 cmd.exe 44 PID 2792 wrote to memory of 2344 2792 cmd.exe 44 PID 2792 wrote to memory of 2344 2792 cmd.exe 44 PID 2792 wrote to memory of 2344 2792 cmd.exe 44 PID 2792 wrote to memory of 2956 2792 cmd.exe 45 PID 2792 wrote to memory of 2956 2792 cmd.exe 45 PID 2792 wrote to memory of 2956 2792 cmd.exe 45 PID 2792 wrote to memory of 2956 2792 cmd.exe 45 PID 2792 wrote to memory of 2076 2792 cmd.exe 46 PID 2792 wrote to memory of 2076 2792 cmd.exe 46 PID 2792 wrote to memory of 2076 2792 cmd.exe 46 PID 2792 wrote to memory of 2076 2792 cmd.exe 46 PID 2792 wrote to memory of 604 2792 cmd.exe 47 PID 2792 wrote to memory of 604 2792 cmd.exe 47 PID 2792 wrote to memory of 604 2792 cmd.exe 47 PID 2792 wrote to memory of 604 2792 cmd.exe 47 PID 2792 wrote to memory of 2300 2792 cmd.exe 48 PID 2792 wrote to memory of 2300 2792 cmd.exe 48 PID 2792 wrote to memory of 2300 2792 cmd.exe 48 PID 2792 wrote to memory of 2300 2792 cmd.exe 48 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe"1⤵
- Drops file in Drivers directory
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\cmd.execmd /c hive.bat >NUL 2>NUL2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2584
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:532
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2556
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3040
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2548
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1528
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:960
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2688
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2344
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2956
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2076
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:604
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2300
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2936
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2104
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1276
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1264
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2392
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2676
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3020
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2420
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:744
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:1920
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:976
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:1900
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1320
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:352
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:976
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2068
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:848
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2604
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1928
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:1984
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1556
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2184
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1496
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2236
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2588
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2564
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2472
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:832
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1924
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2540
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:344
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2712
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:332
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2944
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2100
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1360
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3060
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:900
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2496
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2356
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2180
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2416
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3032
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2620
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3016
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2916
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1608
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1592
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2180
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1920
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2632
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:940
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1608
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2320
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:928
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:988
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:1528
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2652
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1876
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2724
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1496
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:448
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2220
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2976
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2152
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2428
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2520
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2192
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2644
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:156
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1444
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2600
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2856
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:604
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1568
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2968
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1420
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2828
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2168
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2304
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2932
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1484
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2720
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1268
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2312
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2084
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2320
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2552
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:448
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2632
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2364
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1844
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:752
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:992
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1944
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1272
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2324
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1560
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2628
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:332
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2468
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:540
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1828
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2208
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2372
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2424
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1668
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2996
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2296
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2184
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2708
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2220
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:352
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2556
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2484
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3040
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2444
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1728
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2896
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:1528
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2356
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1756
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2100
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2780
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1644
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c shadow.bat >NUL 2>NUL2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2540
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1236
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C147172E2949E98174A424C0F4B153992⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1708
-
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding AD5138FC272727C4D91722C91B2C46C72⤵
- Loads dropped DLL
PID:2260
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD531f6efda8e23000ab794ed8c1d754d2d
SHA1f286c00b78be2f024f9f0533d20b396f7a64f98f
SHA2565f002c254f4f74cc398af003512145108f9be2dab1a0e786588a89c7abf9c352
SHA512ac73ff3a417d355b0b54613cb5e4fbad55a43a67175dbb39924feb440792c1beaa5afc57c5901711d697325ab149242564f3bf16fcbd070671e48049c3418074
-
Filesize
254B
MD5084fc00cf61779cd2302fd4f25c6a01a
SHA1c8f3f7e5d2c36aa21f154dce508803cdafc7feae
SHA2566092fcdce0693ec89ba708c582a321e799dd24a5e7bc7cae65ee006f647fff70
SHA51258128583a4825035f3add3262be08d688cc024a49006533b9d0bb810c543fb2bcd884b1bdbf8581beb347a4ff22593bc7e08284c8399d95b3e48df08e74f117c
-
Filesize
57B
MD5df5552357692e0cba5e69f8fbf06abb6
SHA14714f1e6bb75a80a8faf69434726d176b70d7bd8
SHA256d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8
SHA512a837555a1175ab515e2b43da9e493ff0ccd4366ee59defe6770327818ca9afa6f3e39ecdf5262b69253aa9e2692283ee8cebc97d58edd42e676977c7f73d143d
-
Filesize
363KB
MD54a843a97ae51c310b573a02ffd2a0e8e
SHA1063fa914ccb07249123c0d5f4595935487635b20
SHA256727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086
SHA512905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2
-
Filesize
28KB
MD585221b3bcba8dbe4b4a46581aa49f760
SHA1746645c92594bfc739f77812d67cfd85f4b92474
SHA256f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f
SHA512060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d
-
Filesize
148KB
MD533908aa43ac0aaabc06a58d51b1c2cca
SHA10a0d1ce3435abe2eed635481bac69e1999031291
SHA2564447faacefaba8f040822101e2a4103031660de9139e70ecff9aa3a89455a783
SHA512d5216a53df9cfbe1a78629c103286eb17042f639149c46b6a1cd76498531ae82afd265462fbe0ba9baaff275fc95c66504804f107c449f3fc5833b1ed9c3da46
-
Filesize
86KB
MD5ff58cd07bf4913ef899efd2dfb112553
SHA1f14c1681de808543071602f17a6299f8b4ba2ae8
SHA2561afafe9157ff5670bbec8ce622f45d1ce51b3ee77b7348d3a237e232f06c5391
SHA51223e27444b6cdc17fe56f3a80d6325c2be61ae84213bc7cdaad7bb96daa7e8d2d3defc1b96c3cee4a3f32dc464b0e05720bcf1c0e99626bf83de1b6d5aac000a3
-
Filesize
1KB
MD580207d0f8ea42bdfeaf9f5c586230aca
SHA1747481fe2b0b6d81c3b19ba62d1e49eab6a5461f
SHA25625edefb3b0678dfe0d927ff48ce67254359ba379df9468f634d02c026f0e7131
SHA51273f68ce9e98d2346be1762bd54bb06ef83ae939dfbcf9b786d9b773fa454352613387d264b7a87a1c08950226553817bf01f5aa4107bc12de36a1689e2137304
-
Filesize
47KB
MD581e7e920312d372cf57a817049ac7c76
SHA10a2e953f2d8ecdf984532f2d8e3c0264fc079498
SHA256ff9a2e7fe46937b34f8e61f58df1f6108742cce58505f212e8666cb4ab7b74f9
SHA51276530f002a84a791f1b440c1ab57138b8813dc395027e5c02002d67e9c7a72d6e448bbc2f844fd2cfb61259c37d916a6835035bdb442b45814c1d1aab4743a52
-
Filesize
953KB
MD52f4759c23abcd639ac3ca7f8fa9480ac
SHA19a3fece585fa01b7b941e124ead0c39c8ce9bc7c
SHA2566d66fa59407862e0fddfcb36472fe810eb308653321ca0e374ac870f9aa8cec6
SHA5126ab14d6a8d3e9a751d68133e734cc804de2b50a7ef223d484d0f727cdfbd00d48f6e0666c3b86a0daf9ca42c0b726f6c2a088e5bb32c993748abfea7b5904ec6
-
Filesize
257KB
MD5d1f5ce6b23351677e54a245f46a9f8d2
SHA10d5c6749401248284767f16df92b726e727718ca
SHA25657cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc
SHA512960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba