Analysis
-
max time kernel
127s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12-08-2024 07:07
Behavioral task
behavioral1
Sample
2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe
Resource
win7-20240729-en
windows7-x64
22 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
20 signatures
150 seconds
General
-
Target
2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe
-
Size
2.2MB
-
MD5
61a8fc763aa8bfdb1e43001566bcfce7
-
SHA1
b65880c2c590b3d2f736bf2818be923214a6efe5
-
SHA256
8d797c2e404f3162c836020500b99c524deedabfc4770ee54fd9e0ea8bfd2ef4
-
SHA512
5c39fb96e97dd7291b55b3d16ca0b0521e391369aa639801054e1011b11b3680ec2374dac8b2447677a23bf480c4b2014bb90442f0e8afe1b298c08650d14823
-
SSDEEP
24576:lm8bqgR8VT8P5ZmUbFJnDoaY3azzKSP/OFvIxJH92ZK86EqDh8YCJjiraf4oAV/j:v73h3P/4K81TjasiXCUVnjU1HO1
Malware Config
Extracted
Path
C:\PerfLogs\HOW_TO_DECRYPT.txt
Family
hive
Ransom Note
Your network has been breached and all data is encrypted.
To decrypt all the data you will need to purchase our decryption software.
Please contact our sales department at:
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Login: EQA9oydTxwXS
Password: vNtgAgb3kMFmCooANNQr
Follow the guidelines below to avoid losing your data:
- Do not shutdown or reboot your computers, unmount external storages.
- Do not try to decrypt data using third party software. It may cause irreversible damage.
- Do not fool yourself. Encryption has perfect secrecy and it's impossible to decrypt without knowing the key.
- Do not modify, rename or delete *.key.hive files. Your data will be undecryptable.
- Do not modify or rename encrypted files. You will lose them.
- Do not report to authorities. The negotiation process will be terminated immediately and the key will be erased.
- Do not reject to purchase. Your sensitive data will be publicly disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
URLs
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
Signatures
-
Hive
A ransomware written in Golang first seen in June 2021.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Drops file in Drivers directory 20 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\drivers\de-DE\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\drivers\es-ES\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\drivers\it-IT\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\drivers\uk-UA\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\drivers\fr-FR\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\drivers\ja-JP\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\drivers\uk-UA\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.C5dk5EKAfuwXvvS6EdFcwsgA4MaK2HQlRvXde0FORC4.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Public\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Public\Documents\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Public\Music\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Public\Videos\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\Links\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\Music\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\migwiz\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\c_sbp2.inf_amd64_db7034ac4806cf05\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\c_cdrom.inf_amd64_f08f2fe1cde58aef\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\net7800-x64-n650f.inf_amd64_178f1bdb49a6e2fd\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\usbprint.inf_amd64_86cdf3e1f512cca1\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\config\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\LogFiles\LSA\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_EnvironmentResource\fr-FR\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmmod.inf_amd64_51d6c57c66e3de87\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_x86_c62e9f8067f98247\I386\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\fr-FR\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\IME\SHARED\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\it-IT\Licenses\OEM\Professional\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\DiagSvcs\ja-JP\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\windowstrustedrtproxy.inf_amd64_db5be14d5e02560f\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\migration\en-US\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\oobe\it-IT\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\de-DE\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\mtconfig.inf_amd64_fe91941ed205cd9b\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\Configuration\PartialConfigurations\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_EnvironmentResource\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\Configuration\ConfigurationStatus\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmgl003.inf_amd64_6b639ff361f628eb\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmmotou.inf_amd64_8370fa408706074c\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\microsoft_bluetooth_a2dp_snk.inf_amd64_213eeba98cc6f2f4\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\netmlx4eth63.inf_amd64_3809a4a3e7e07703\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\en-US\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmsun1.inf_amd64_5b6db32fd04403a3\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\scmvolume.inf_amd64_6957cfb7d6fea5c7\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\ws3cap.inf_amd64_6cf8ea2249844b50\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\ja-JP\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\it-IT\Licenses\Volume\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\Configuration\Registration\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\ja-JP\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\remoteposdrv.inf_amd64_0f0da968c1cfce06\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\pci.inf_amd64_66614bed5c0a20d8\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\InstallShield\setupdir\0011\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\nl-NL\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\slmgr\040C\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\F12\de-DE\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ScheduledTasks\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_8a737d38f201aeb1\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\Licenses\neutral\_Default\Professional\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_LogResource\de-DE\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAny\fr-FR\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SecureBoot\it-IT\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\spp\tokens\legacy\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\MailContactsCalendarSync\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\en-US\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\de-DE\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\c_fscontentscreener.inf_amd64_bd1517e25f3e419f\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\c_mediumchanger.inf_amd64_69ea0d8614286224\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\compositebus.inf_amd64_7500cffa210c6946\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\hidbth.inf_amd64_76fb27776958e530\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\mausbhost.inf_amd64_34c86c15777c913b\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmirmdm.inf_amd64_ba5b77b7d46bc10d\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\fr-FR\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_EnvironmentResource\en-US\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Windows\SysWOW64\MUI\0411\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmdp2.inf_amd64_6550f790ed88c7ba\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmsii64.inf_amd64_0f02175b17cd3f66\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\System32\DriverStore\FileRepository\pcmcia.inf_amd64_cb18bba4788e47f7\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.Core.dll.C5dk5EKAfuwXvvS6EdFcwhU5mkBKQ0F2HObuyFlkUh8.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\AddressBook.png.C5dk5EKAfuwXvvS6EdFcwh27jOuMtlYobAxiH8HUJmg.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-80_altform-unplated_contrast-white.png 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\AttachmentPlaceholder-Dark.png 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Windows Media Player\WMPMediaSharing.dll 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\RADIAL.INF.C5dk5EKAfuwXvvS6EdFcwtsA2CAzw8B7CEekZpxrOR0.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\gstreamer-lite.dll.C5dk5EKAfuwXvvS6EdFcwvIRYVNYPaMLZKJekXmM5E4.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libmft_plugin.dll 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\LargeTile.scale-100.png 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Onix32.dll 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-phn.xrm-ms.C5dk5EKAfuwXvvS6EdFcwvaDeZymSjtTYc3PVpvTNAE.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Controls.Ribbon.resources.dll 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\Close.png.C5dk5EKAfuwXvvS6EdFcwlgcPb2PrRFCNbJblat4KmQ.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-synch-l1-2-0.dll 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Common.dll.C5dk5EKAfuwXvvS6EdFcwilbZjyDJfVfGub9Q5dWZRs.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Json.dll 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon.png.C5dk5EKAfuwXvvS6EdFcwo_KKFt_oi40EA9efwdGlyI.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\next-arrow-default.svg 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\msedgeupdateres_cy.dll 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-sysinfo-l1-1-0.dll 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsFormsIntegration.resources.dll 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.resources.dll.C5dk5EKAfuwXvvS6EdFcwiC4VWIg6IAyEWbweY_DiW4.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Windows Mail\wab.exe 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationUI.resources.dll.C5dk5EKAfuwXvvS6EdFcwg7lhkIcOcNcd9wQ-dZLZm8.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\eu-es\ui-strings.js.C5dk5EKAfuwXvvS6EdFcwv3XXGP5DvkdJZSt1ATrelY.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Design.dll.C5dk5EKAfuwXvvS6EdFcwvNcemHMB-IFGHaFFYzGp3A.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Program Files\Windows NT\TableTextService\en-US\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\82.jpg 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-200.png 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-selector.js.C5dk5EKAfuwXvvS6EdFcwqzizw4MHBAgQK02Fnl9EAs.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OSF.DLL 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.Design.resources.dll.C5dk5EKAfuwXvvS6EdFcwu31KSLVWfEFgMWOJzCHzhw.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\it-it\ui-strings.js.C5dk5EKAfuwXvvS6EdFcwqvdXPK9KKgSIVymtEdf2Hg.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-oob.xrm-ms.C5dk5EKAfuwXvvS6EdFcwt6PvOx51uNSxsbMfuCQOQ0.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-40_altform-unplated_contrast-black.png 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-20_altform-lightunplated.png 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.dll.C5dk5EKAfuwXvvS6EdFcwmKdLT8qk9hqmXHrjwBoAUo.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\README.txt.C5dk5EKAfuwXvvS6EdFcwoIoRsra-lM49tlT6sg7Jlc.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\BREEZE.WAV 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ul-oob.xrm-ms.C5dk5EKAfuwXvvS6EdFcwrslazknyNY6HWjA47_owXU.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\MicrosoftSolitaireWideTile.scale-200.jpg 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\info.gif 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_auditreport_18.svg 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_es.dll.C5dk5EKAfuwXvvS6EdFcwvfjQzg7NlUUL_o1h2oSDkw.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Java\jdk-1.8\lib\ct.sym 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\vlc.mo 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_K_COL.HXK.C5dk5EKAfuwXvvS6EdFcwpw7XvSTaehyk12j5L6JYBs.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationProvider.resources.dll 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\ui-strings.js 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.dll.C5dk5EKAfuwXvvS6EdFcwsTu_eXQlQBFc-W54vpXG3s.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\jce.jar 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ppd.xrm-ms.C5dk5EKAfuwXvvS6EdFcwrAQRkmCGBFV4ZLUvILxWyY.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderWideTile.contrast-white_scale-200.png 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_contrast-black.png 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyCalendarSearch.scale-400.png 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Xaml.resources.dll.C5dk5EKAfuwXvvS6EdFcwiVB1rH5wgNXIxqVCtX7bjw.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nl-nl\ui-strings.js 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationFramework.resources.dll.C5dk5EKAfuwXvvS6EdFcwjXH_SUGW5w8wmpcwujbKC0.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_TypeTextFields_White@1x.png.C5dk5EKAfuwXvvS6EdFcwqWPCydJcm8BiNfqIemZ6gY.hive 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\WinSxS\amd64_microsoft-windows-w..lient-aux.resources_31bf3856ad364e35_10.0.19041.1266_en-us_2349fda40e0c3826\r\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\msil_system.servicemodel.install.resources_b77a5c561934e089_10.0.19041.1_it-it_b372539d3949fc74\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..airingdll.resources_31bf3856ad364e35_10.0.19041.1_it-it_02797566dab1a781\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-mmc-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_0562b2b904cc6113\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-rdbss.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_09b86040c40c8a6a\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-cloudfiles-apilibrary_31bf3856ad364e35_10.0.19041.1_none_497d7ca260151020\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35_10.0.19041.264_none_9b70177c85a8df54\r\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\Resources\Themes\aero\fr-FR\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..vice-core.resources_31bf3856ad364e35_10.0.19041.1_es-es_eb31f8fea2dfe0bc\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-quickassist.resources_31bf3856ad364e35_10.0.19041.1_it-it_4f3dfceb6758f834\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-rastapi_31bf3856ad364e35_10.0.19041.1110_none_8e04ff5b636ae4fe\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\fr\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_dual_net7400-x64-n650.inf_31bf3856ad364e35_10.0.19041.1_none_14d353a76e9c536e\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-rotmgr_31bf3856ad364e35_10.0.19041.746_none_0bd845a4159c1a60\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-u..tionuxexe.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_294049800d68201d\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-c..entsnapin.resources_31bf3856ad364e35_10.0.19041.1_it-it_c4348f4f8d07e605\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-npiv.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_c74f6ea053cfbe7d\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\system.dynamic.resources\v4.0_4.0.0.0_fr_b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-attrib_31bf3856ad364e35_10.0.19041.1_none_687f28352b92068b\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-rpc-kernel_31bf3856ad364e35_10.0.19041.1_none_74fd915921441a6a\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..atibility.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_da03973719857f50\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..riptedsandboxplugin_31bf3856ad364e35_11.0.19041.746_none_7d8d3c68f3a16325\f\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\sysglobl.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..ckagingom.resources_31bf3856ad364e35_10.0.19041.1_de-de_dfb715c8ef26e1db\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..emsupport.resources_31bf3856ad364e35_10.0.19041.1023_en-us_74c0b5df04b52bb8\f\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-n..n-clients.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_46ae64c1ca0cd8e9\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..container.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_ada3ee541c0a53ea\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..resources.resources_31bf3856ad364e35_10.0.19041.1_it-it_49167d51139e0e3f\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_system.servicemodel.web.resources_31bf3856ad364e35_4.0.15805.0_ja-jp_fa2fe8ee29da813f\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\SlickGrid\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..dstore-schema-shell_31bf3856ad364e35_10.0.19041.746_none_71d74c9c052371e4\f\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..communication-winrt_31bf3856ad364e35_10.0.19041.264_none_d2386109e9610491\r\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..xecutable.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_dd6236e95c9f69d1\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..l-keyboard-00000449_31bf3856ad364e35_10.0.19041.1_none_a0bf101f014dcac1\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-p..package-managed-api_31bf3856ad364e35_10.0.19041.1202_none_00020b7d91f43625\r\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.Resources\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Cmdletization.OData.Resources\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\aspnet_compiler.resources\v4.0_4.0.0.0_it_b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_system.windows.inpu..pulations.resources_b77a5c561934e089_4.0.15805.0_es-es_b9e525930571e01b\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-explorer.resources_31bf3856ad364e35_10.0.19041.1_it-it_52e3081d118b00ef\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_hyperv-vmemulateddevices.resources_31bf3856ad364e35_10.0.19041.1_en-us_7217d1309a54e027\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..-shellcommon-broker_31bf3856ad364e35_10.0.19041.1151_none_c30ac589c1dad323\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-n..datausage.resources_31bf3856ad364e35_10.0.19041.1_de-de_037954372524597d\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-snmp-common-api_31bf3856ad364e35_10.0.19041.1_none_e90d02a70e50225c\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..appushsvc.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_e0fa59524d9d2fb1\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..ctiveuser.resources_31bf3856ad364e35_10.0.19041.1_es-es_2731a4f9dc50a3e5\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..peeradmin.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_fa6a546b4a245dee\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_10.0.19041.207_none_8d07de31084775c6\r\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_10.0.19041.844_none_7eaa07ee55c22dcc\f\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_presentationframework.aerolite_31bf3856ad364e35_4.0.15805.0_none_c25fdd6b0e2df812\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-d..w-capture.resources_31bf3856ad364e35_10.0.19041.1_de-de_8f0461b9464b5dfb\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-msports_31bf3856ad364e35_10.0.19041.1_none_4d62d24ec303020c\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Speech.resources\v4.0_4.0.0.0_it_31bf3856ad364e35\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-f..yphanimator-library_31bf3856ad364e35_10.0.19041.746_none_faa6ec755f8b9fdf\f\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-network-qos-pacer_31bf3856ad364e35_10.0.19041.546_none_cb01ee53d6697641\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..emotepage.resources_31bf3856ad364e35_10.0.19041.1_de-de_c417cda3e244c81b\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2136afef5fadeaa4\f\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-v..payloadrestrictions_31bf3856ad364e35_10.0.19041.1288_none_c59e86728dfb9a43\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Utility.Activities.Resources\v4.0_3.0.0.0_es_31bf3856ad364e35\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_dual_netefe3e.inf_31bf3856ad364e35_10.0.19041.1_none_c67d78ba9767ae30\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_mdmcxpv6.inf.resources_31bf3856ad364e35_10.0.19041.1_de-de_817c47d0411338be\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..terface-ldapc-layer_31bf3856ad364e35_10.0.19041.1_none_152381bd05dadff7\HOW_TO_DECRYPT.txt 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Delays execution with timeout.exe 64 IoCs
pid Process 4336 timeout.exe 3012 timeout.exe 3692 timeout.exe 3152 timeout.exe 3772 timeout.exe 3956 timeout.exe 2296 timeout.exe 3944 timeout.exe 1348 timeout.exe 1920 timeout.exe 4636 timeout.exe 2672 timeout.exe 4648 timeout.exe 3320 timeout.exe 2544 timeout.exe 4560 timeout.exe 4568 timeout.exe 1364 timeout.exe 2072 timeout.exe 1340 timeout.exe 4544 timeout.exe 4116 timeout.exe 4296 timeout.exe 2188 timeout.exe 2684 timeout.exe 4760 timeout.exe 2420 timeout.exe 1604 timeout.exe 4356 timeout.exe 4248 timeout.exe 4736 timeout.exe 3252 timeout.exe 4152 timeout.exe 3988 timeout.exe 1888 timeout.exe 1112 timeout.exe 4852 timeout.exe 4136 timeout.exe 3696 timeout.exe 4788 timeout.exe 4436 timeout.exe 2948 timeout.exe 5064 timeout.exe 3996 timeout.exe 4944 timeout.exe 4900 timeout.exe 3776 timeout.exe 744 timeout.exe 3916 timeout.exe 4792 timeout.exe 4144 timeout.exe 1580 timeout.exe 5040 timeout.exe 1388 timeout.exe 3832 timeout.exe 2608 timeout.exe 4336 timeout.exe 3672 timeout.exe 3240 timeout.exe 1520 timeout.exe 1200 timeout.exe 4176 timeout.exe 4852 timeout.exe 3468 timeout.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{DA070EEA-6C79-4F4A-8576-E3E6F29285D8} explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1508 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe 1508 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 1780 explorer.exe Token: SeCreatePagefilePrivilege 1780 explorer.exe Token: SeShutdownPrivilege 1780 explorer.exe Token: SeCreatePagefilePrivilege 1780 explorer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1780 explorer.exe 1780 explorer.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1780 explorer.exe 1780 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1508 wrote to memory of 2960 1508 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe 104 PID 1508 wrote to memory of 2960 1508 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe 104 PID 1508 wrote to memory of 2960 1508 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe 104 PID 1508 wrote to memory of 2028 1508 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe 105 PID 1508 wrote to memory of 2028 1508 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe 105 PID 1508 wrote to memory of 2028 1508 2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe 105 PID 2960 wrote to memory of 4248 2960 cmd.exe 108 PID 2960 wrote to memory of 4248 2960 cmd.exe 108 PID 2960 wrote to memory of 4248 2960 cmd.exe 108 PID 2960 wrote to memory of 4428 2960 cmd.exe 109 PID 2960 wrote to memory of 4428 2960 cmd.exe 109 PID 2960 wrote to memory of 4428 2960 cmd.exe 109 PID 2960 wrote to memory of 3776 2960 cmd.exe 110 PID 2960 wrote to memory of 3776 2960 cmd.exe 110 PID 2960 wrote to memory of 3776 2960 cmd.exe 110 PID 2960 wrote to memory of 4116 2960 cmd.exe 111 PID 2960 wrote to memory of 4116 2960 cmd.exe 111 PID 2960 wrote to memory of 4116 2960 cmd.exe 111 PID 2960 wrote to memory of 532 2960 cmd.exe 112 PID 2960 wrote to memory of 532 2960 cmd.exe 112 PID 2960 wrote to memory of 532 2960 cmd.exe 112 PID 2960 wrote to memory of 1608 2960 cmd.exe 113 PID 2960 wrote to memory of 1608 2960 cmd.exe 113 PID 2960 wrote to memory of 1608 2960 cmd.exe 113 PID 2960 wrote to memory of 4788 2960 cmd.exe 114 PID 2960 wrote to memory of 4788 2960 cmd.exe 114 PID 2960 wrote to memory of 4788 2960 cmd.exe 114 PID 2960 wrote to memory of 4088 2960 cmd.exe 115 PID 2960 wrote to memory of 4088 2960 cmd.exe 115 PID 2960 wrote to memory of 4088 2960 cmd.exe 115 PID 2960 wrote to memory of 3240 2960 cmd.exe 116 PID 2960 wrote to memory of 3240 2960 cmd.exe 116 PID 2960 wrote to memory of 3240 2960 cmd.exe 116 PID 2960 wrote to memory of 1888 2960 cmd.exe 117 PID 2960 wrote to memory of 1888 2960 cmd.exe 117 PID 2960 wrote to memory of 1888 2960 cmd.exe 117 PID 2960 wrote to memory of 4736 2960 cmd.exe 118 PID 2960 wrote to memory of 4736 2960 cmd.exe 118 PID 2960 wrote to memory of 4736 2960 cmd.exe 118 PID 2960 wrote to memory of 4640 2960 cmd.exe 119 PID 2960 wrote to memory of 4640 2960 cmd.exe 119 PID 2960 wrote to memory of 4640 2960 cmd.exe 119 PID 2960 wrote to memory of 1356 2960 cmd.exe 120 PID 2960 wrote to memory of 1356 2960 cmd.exe 120 PID 2960 wrote to memory of 1356 2960 cmd.exe 120 PID 2960 wrote to memory of 4600 2960 cmd.exe 121 PID 2960 wrote to memory of 4600 2960 cmd.exe 121 PID 2960 wrote to memory of 4600 2960 cmd.exe 121 PID 2960 wrote to memory of 536 2960 cmd.exe 122 PID 2960 wrote to memory of 536 2960 cmd.exe 122 PID 2960 wrote to memory of 536 2960 cmd.exe 122 PID 2960 wrote to memory of 4176 2960 cmd.exe 123 PID 2960 wrote to memory of 4176 2960 cmd.exe 123 PID 2960 wrote to memory of 4176 2960 cmd.exe 123 PID 2960 wrote to memory of 4636 2960 cmd.exe 124 PID 2960 wrote to memory of 4636 2960 cmd.exe 124 PID 2960 wrote to memory of 4636 2960 cmd.exe 124 PID 2960 wrote to memory of 4436 2960 cmd.exe 126 PID 2960 wrote to memory of 4436 2960 cmd.exe 126 PID 2960 wrote to memory of 4436 2960 cmd.exe 126 PID 2960 wrote to memory of 1604 2960 cmd.exe 127 PID 2960 wrote to memory of 1604 2960 cmd.exe 127 PID 2960 wrote to memory of 1604 2960 cmd.exe 127 PID 2960 wrote to memory of 3916 2960 cmd.exe 128
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-12_61a8fc763aa8bfdb1e43001566bcfce7_snatch.exe"1⤵
- Drops file in Drivers directory
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hive.bat >NUL 2>NUL2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4248
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4428
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3776
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4116
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:532
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:1608
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4788
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:4088
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3240
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1888
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4736
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4640
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:1356
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4600
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:536
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4176
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4636
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4436
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1604
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3916
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2128
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:3684
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:4992
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4560
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4356
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3152
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2948
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2304
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:5064
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:4624
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2608
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:4788
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4144
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3688
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1888
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3252
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2484
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2968
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:1728
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:4632
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3696
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3644
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3948
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:5000
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3760
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4852
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3772
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:3996
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:1596
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4296
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2544
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4568
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:3800
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1364
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2188
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2684
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1112
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4852
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3916
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2672
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3308
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:3824
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3996
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2608
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:752
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1520
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2080
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4760
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3956
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2420
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4336
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2076
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2504
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3468
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2188
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2716
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2588
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2296
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2304
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2072
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4944
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:1344
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3832
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2876
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1580
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:744
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1200
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:5080
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:5040
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3944
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1996
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:692
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4648
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:180
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4336
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1388
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:1368
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4152
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:612
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3012
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:1696
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:388
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:4308
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2876
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:2896
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3588
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:1888
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:4588
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1348
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:4792
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2284
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
PID:4752
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4136
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4004
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1340
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2740
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3672
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3692
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3988
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2124
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4312
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3320
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3080
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3356
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4792
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2180
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2536
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:3996
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4900
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:4752
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2504
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1920
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2208
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:744
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4544
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵PID:2320
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shadow.bat >NUL 2>NUL2⤵PID:2028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4108,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4020 /prefetch:81⤵PID:852
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1780
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5c02ae28c356fe623f31695fb4aa0566e
SHA159a0900bd94f1663809a85808f817d07ad84edac
SHA256338371ec1d547fee745430c854e6b3b3939c4e56087b8f9581bd692f0228df10
SHA512ecd24de539a1f94a159dbd5231338b4e2bb63a1d9efc129f02930a37d081270d787a32cbbcf458f8288c78fc14938549a040ae61dad9f9ce8adcb664b3961cdb
-
Filesize
1KB
MD580207d0f8ea42bdfeaf9f5c586230aca
SHA1747481fe2b0b6d81c3b19ba62d1e49eab6a5461f
SHA25625edefb3b0678dfe0d927ff48ce67254359ba379df9468f634d02c026f0e7131
SHA51273f68ce9e98d2346be1762bd54bb06ef83ae939dfbcf9b786d9b773fa454352613387d264b7a87a1c08950226553817bf01f5aa4107bc12de36a1689e2137304
-
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.C5dk5EKAfuwXvvS6EdFcwlOGydL22IJz7TE2GVB2oDE.hive
Filesize622KB
MD5bc5614c4d544096493423b290e77aba7
SHA1b34a4ffe594b5b0e0b22f01f46cdee06a035e057
SHA256e13210c8e07eeb6696369bb69a712e882a663bbfa4511e5af392daa0a73e32b9
SHA51265338198a0c094770aa2f8aa402cf5f8937a54bdfb3699b04f231f9e67356b48d6926d57367b7fbc9f84e5f7df151c3f32107fda9286a1825c32accf53fd38a6
-
Filesize
254B
MD5084fc00cf61779cd2302fd4f25c6a01a
SHA1c8f3f7e5d2c36aa21f154dce508803cdafc7feae
SHA2566092fcdce0693ec89ba708c582a321e799dd24a5e7bc7cae65ee006f647fff70
SHA51258128583a4825035f3add3262be08d688cc024a49006533b9d0bb810c543fb2bcd884b1bdbf8581beb347a4ff22593bc7e08284c8399d95b3e48df08e74f117c
-
Filesize
57B
MD5df5552357692e0cba5e69f8fbf06abb6
SHA14714f1e6bb75a80a8faf69434726d176b70d7bd8
SHA256d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8
SHA512a837555a1175ab515e2b43da9e493ff0ccd4366ee59defe6770327818ca9afa6f3e39ecdf5262b69253aa9e2692283ee8cebc97d58edd42e676977c7f73d143d