Malware Analysis Report

2025-08-06 04:12

Sample ID 230802-g4aw8sdb78
Target Siparis 02.08.023.exe
SHA256 3331e4358de7df247634699487afe492edf9af859cd588304ce9f0c6cb542cc3
Tags
snakekeylogger keylogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3331e4358de7df247634699487afe492edf9af859cd588304ce9f0c6cb542cc3

Threat Level: Known bad

The file Siparis 02.08.023.exe was found to be: Known bad.

Malicious Activity Summary

snakekeylogger keylogger spyware stealer

Snake Keylogger

Snake Keylogger payload

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-02 06:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-02 06:21

Reported

2023-08-02 06:23

Platform

win7-20230712-en

Max time kernel

120s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe"

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Snake Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2584 set thread context of 1868 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2584 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2584 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2584 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2584 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2584 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2584 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2584 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2584 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2584 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Windows\SysWOW64\schtasks.exe
PID 2584 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Windows\SysWOW64\schtasks.exe
PID 2584 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Windows\SysWOW64\schtasks.exe
PID 2584 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Windows\SysWOW64\schtasks.exe
PID 2584 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe
PID 2584 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe
PID 2584 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe
PID 2584 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe
PID 2584 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe
PID 2584 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe
PID 2584 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe
PID 2584 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe
PID 2584 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe

"C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rBsecoizqPy.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rBsecoizqPy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp690F.tmp"

C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe

"C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp

Files

memory/2584-54-0x00000000011A0000-0x0000000001246000-memory.dmp

memory/2584-55-0x0000000074480000-0x0000000074B6E000-memory.dmp

memory/2584-56-0x0000000000F60000-0x0000000000FA0000-memory.dmp

memory/2584-57-0x0000000000410000-0x0000000000420000-memory.dmp

memory/2584-58-0x0000000074480000-0x0000000074B6E000-memory.dmp

memory/2584-59-0x0000000000F60000-0x0000000000FA0000-memory.dmp

memory/2584-60-0x0000000000430000-0x000000000043A000-memory.dmp

memory/2584-61-0x0000000007E60000-0x0000000007EC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp690F.tmp

MD5 a25aeed858435bfa9d3dfb2a3fcf3d3d
SHA1 6b346fd10916b0e7e6311a82af44ac6337cf6429
SHA256 22bce8b7245dfadef9bd2e78a0babec5c9b00d18532022127789dedda2811a8b
SHA512 4a7973a175c0ef4c9504d2fb89e854e5ad437c8314f9b086b1f8e2d4ea9bf42cab54a1463708b5e25a445750356cb27fba06dccf91f586e5c092b31fe7a6783c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 250f8b20d966e4bf1fa8d10e96b0dff3
SHA1 7b2983bba7dfe40ca219e224bbf3a01fe877ad60
SHA256 ff503e33aee4b837a363916753bf3bbaa151bd768beb5b182bc3e97e1ccd9281
SHA512 fa575b181db3da006e89f167ed47a34a35d993120d3e15278777398285e8a8df47e30272d6699d8ce3aa6f8543a068a5f6c19741476ac6202a9315f2bdeefac5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XRMOW1TN7ULII41URCOU.temp

MD5 250f8b20d966e4bf1fa8d10e96b0dff3
SHA1 7b2983bba7dfe40ca219e224bbf3a01fe877ad60
SHA256 ff503e33aee4b837a363916753bf3bbaa151bd768beb5b182bc3e97e1ccd9281
SHA512 fa575b181db3da006e89f167ed47a34a35d993120d3e15278777398285e8a8df47e30272d6699d8ce3aa6f8543a068a5f6c19741476ac6202a9315f2bdeefac5

memory/1868-74-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1868-76-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1868-77-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1868-78-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1868-79-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1868-81-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1868-83-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1868-86-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2584-85-0x0000000074480000-0x0000000074B6E000-memory.dmp

memory/2148-87-0x000000006F0D0000-0x000000006F67B000-memory.dmp

memory/2860-88-0x000000006F0D0000-0x000000006F67B000-memory.dmp

memory/2148-89-0x0000000002790000-0x00000000027D0000-memory.dmp

memory/2860-90-0x000000006F0D0000-0x000000006F67B000-memory.dmp

memory/2860-91-0x000000006F0D0000-0x000000006F67B000-memory.dmp

memory/2148-94-0x0000000002790000-0x00000000027D0000-memory.dmp

memory/1868-96-0x0000000004BB0000-0x0000000004BF0000-memory.dmp

memory/2860-97-0x00000000024E0000-0x0000000002520000-memory.dmp

memory/2860-95-0x00000000024E0000-0x0000000002520000-memory.dmp

memory/2148-93-0x0000000002790000-0x00000000027D0000-memory.dmp

memory/2148-92-0x000000006F0D0000-0x000000006F67B000-memory.dmp

memory/1868-98-0x00000000731C0000-0x00000000738AE000-memory.dmp

memory/2860-100-0x000000006F0D0000-0x000000006F67B000-memory.dmp

memory/2148-99-0x000000006F0D0000-0x000000006F67B000-memory.dmp

memory/1868-101-0x0000000004BB0000-0x0000000004BF0000-memory.dmp

memory/1868-102-0x00000000731C0000-0x00000000738AE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-02 06:21

Reported

2023-08-02 06:23

Platform

win10v2004-20230703-en

Max time kernel

140s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe"

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Snake Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2632 set thread context of 3820 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2632 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Windows\SysWOW64\schtasks.exe
PID 2632 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Windows\SysWOW64\schtasks.exe
PID 2632 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Windows\SysWOW64\schtasks.exe
PID 2632 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe
PID 2632 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe
PID 2632 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe
PID 2632 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe
PID 2632 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe
PID 2632 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe
PID 2632 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe
PID 2632 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe

"C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rBsecoizqPy.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rBsecoizqPy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp966F.tmp"

C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe

"C:\Users\Admin\AppData\Local\Temp\Siparis 02.08.023.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 126.20.238.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
US 158.101.44.242:80 checkip.dyndns.org tcp
US 8.8.8.8:53 242.44.101.158.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

memory/2632-133-0x0000000000C60000-0x0000000000D06000-memory.dmp

memory/2632-134-0x00000000752E0000-0x0000000075A90000-memory.dmp

memory/2632-135-0x0000000005C60000-0x0000000006204000-memory.dmp

memory/2632-136-0x00000000056B0000-0x0000000005742000-memory.dmp

memory/2632-137-0x0000000005680000-0x0000000005690000-memory.dmp

memory/2632-138-0x0000000005780000-0x000000000578A000-memory.dmp

memory/2632-139-0x00000000752E0000-0x0000000075A90000-memory.dmp

memory/2632-140-0x0000000005680000-0x0000000005690000-memory.dmp

memory/2632-141-0x0000000009470000-0x000000000950C000-memory.dmp

memory/4612-146-0x0000000000D20000-0x0000000000D56000-memory.dmp

memory/4612-147-0x00000000752E0000-0x0000000075A90000-memory.dmp

memory/4612-149-0x0000000004C80000-0x00000000052A8000-memory.dmp

memory/4612-148-0x0000000000CC0000-0x0000000000CD0000-memory.dmp

memory/4612-150-0x0000000000CC0000-0x0000000000CD0000-memory.dmp

memory/4196-151-0x00000000752E0000-0x0000000075A90000-memory.dmp

memory/4196-152-0x00000000023D0000-0x00000000023E0000-memory.dmp

memory/4196-153-0x00000000023D0000-0x00000000023E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp966F.tmp

MD5 a0640ec5bce918a9c49ac81187baec7b
SHA1 4eef02e9643d3943d81c8da1e7e3f7856834ea7d
SHA256 8e0bb1e5b5012a4ec071af2ffbac99573c655737ed658b26fe9a240f10f985ac
SHA512 1679f29a2f1a2164de903d19729f94a499c7a83a037ccf7a8b28e66976fee11574dfa0f99bf45087480e2400e94258d6cd7835b7d1b153d9941caaaf64becea6

memory/4612-155-0x0000000004AF0000-0x0000000004B12000-memory.dmp

memory/4612-156-0x0000000005360000-0x00000000053C6000-memory.dmp

memory/4612-157-0x0000000005480000-0x00000000054E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pugau1c0.zph.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3820-167-0x0000000000400000-0x0000000000426000-memory.dmp

memory/3820-178-0x00000000752E0000-0x0000000075A90000-memory.dmp

memory/2632-179-0x00000000752E0000-0x0000000075A90000-memory.dmp

memory/4196-180-0x0000000005CE0000-0x0000000005CFE000-memory.dmp

memory/3820-181-0x0000000005570000-0x0000000005580000-memory.dmp

memory/4612-182-0x00000000752E0000-0x0000000075A90000-memory.dmp

memory/4612-184-0x0000000000CC0000-0x0000000000CD0000-memory.dmp

memory/4196-183-0x00000000023D0000-0x00000000023E0000-memory.dmp

memory/4612-185-0x0000000000CC0000-0x0000000000CD0000-memory.dmp

memory/4612-186-0x0000000000CC0000-0x0000000000CD0000-memory.dmp

memory/4196-187-0x0000000006EB0000-0x0000000006EE2000-memory.dmp

memory/4612-188-0x0000000071980000-0x00000000719CC000-memory.dmp

memory/4196-189-0x0000000071980000-0x00000000719CC000-memory.dmp

memory/4196-200-0x00000000752E0000-0x0000000075A90000-memory.dmp

memory/4612-199-0x0000000006080000-0x000000000609E000-memory.dmp

memory/4612-210-0x0000000007420000-0x0000000007A9A000-memory.dmp

memory/4612-211-0x0000000006DE0000-0x0000000006DFA000-memory.dmp

memory/4196-212-0x00000000023D0000-0x00000000023E0000-memory.dmp

memory/4612-213-0x0000000006E50000-0x0000000006E5A000-memory.dmp

memory/4612-214-0x0000000007060000-0x00000000070F6000-memory.dmp

memory/4196-215-0x00000000023D0000-0x00000000023E0000-memory.dmp

memory/4196-216-0x0000000007240000-0x000000000724E000-memory.dmp

memory/4196-217-0x0000000007350000-0x000000000736A000-memory.dmp

memory/4612-218-0x0000000007100000-0x0000000007108000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9705cc2e26833e536847128cb77248fc
SHA1 e6ec4c08bae27621407d2eac17bb3849d4617851
SHA256 568839032a5f7dd9de4fc313d7cf136a3e3ed8ce5826cc6fc4662ee877fc4127
SHA512 ce7740da98cbea75cec26f63f740b52cfc99c41f4a2ff59820edd85cf6587361ed132d622a21e00ac18c4c8749379b757f028dc948d32c8ef9a0aad34b5ee936

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4612-225-0x00000000752E0000-0x0000000075A90000-memory.dmp

memory/4196-226-0x00000000752E0000-0x0000000075A90000-memory.dmp

memory/3820-227-0x00000000752E0000-0x0000000075A90000-memory.dmp

memory/3820-228-0x0000000006610000-0x00000000067D2000-memory.dmp

memory/3820-229-0x0000000005570000-0x0000000005580000-memory.dmp