Malware Analysis Report

2025-06-16 03:51

Sample ID 240131-amtvfshdbn
Target 82f4ae80360792467e90af85e78fecad
SHA256 7bc5eb4d7e5f4a51cc18540b9ed86a607ccf9979d1d19dbfd94335c8b57c70f0
Tags
snakekeylogger keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7bc5eb4d7e5f4a51cc18540b9ed86a607ccf9979d1d19dbfd94335c8b57c70f0

Threat Level: Known bad

The file 82f4ae80360792467e90af85e78fecad was found to be: Known bad.

Malicious Activity Summary

snakekeylogger keylogger persistence stealer

Snake Keylogger payload

Snake Keylogger

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-31 00:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-31 00:20

Reported

2024-01-31 00:22

Platform

win10v2004-20231222-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe"

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Snake Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\ProgramData\Synaptics\Synaptics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\ProgramData\Synaptics\Synaptics.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_82f4ae80360792467e90af85e78fecad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3076 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe
PID 3076 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe
PID 3076 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe
PID 3076 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe
PID 3076 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe
PID 3076 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe
PID 3076 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe
PID 3076 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe
PID 3076 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe
PID 3076 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe
PID 3076 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe
PID 3076 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe
PID 3076 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe
PID 3076 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe
PID 4464 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\Users\Admin\AppData\Local\Temp\._cache_82f4ae80360792467e90af85e78fecad.exe
PID 4464 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\Users\Admin\AppData\Local\Temp\._cache_82f4ae80360792467e90af85e78fecad.exe
PID 4464 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 4464 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 4464 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1232 wrote to memory of 1664 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1232 wrote to memory of 1664 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1232 wrote to memory of 1664 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1232 wrote to memory of 1664 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1232 wrote to memory of 1664 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1232 wrote to memory of 1664 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1232 wrote to memory of 1664 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1232 wrote to memory of 1664 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1232 wrote to memory of 1664 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1232 wrote to memory of 1664 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1232 wrote to memory of 1664 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1664 wrote to memory of 1624 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 1664 wrote to memory of 1624 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Processes

C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe

"C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe"

C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe

"C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe"

C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe

"C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_82f4ae80360792467e90af85e78fecad.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_82f4ae80360792467e90af85e78fecad.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 8.8.8.8:53 freegeoip.app udp
US 104.21.73.97:443 freegeoip.app tcp
US 8.8.8.8:53 ipbase.com udp
US 172.67.209.71:443 ipbase.com tcp
US 8.8.8.8:53 0.130.122.193.in-addr.arpa udp
US 8.8.8.8:53 97.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 71.209.67.172.in-addr.arpa udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 104.21.73.97:443 freegeoip.app tcp
US 172.67.209.71:443 ipbase.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 174.128.246.100:80 freedns.afraid.org tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 100.246.128.174.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 docs.google.com udp
FR 172.217.20.206:443 docs.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 142.250.179.97:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 206.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 67.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 97.179.250.142.in-addr.arpa udp

Files

memory/3076-0-0x0000000000550000-0x0000000000680000-memory.dmp

memory/3076-1-0x0000000074480000-0x0000000074C30000-memory.dmp

memory/3076-2-0x00000000056D0000-0x0000000005C74000-memory.dmp

memory/3076-3-0x0000000005060000-0x00000000050F2000-memory.dmp

memory/3076-4-0x00000000051C0000-0x000000000525C000-memory.dmp

memory/3076-5-0x0000000005380000-0x0000000005390000-memory.dmp

memory/3076-6-0x0000000005100000-0x000000000510A000-memory.dmp

memory/3076-7-0x00000000053A0000-0x00000000053B8000-memory.dmp

memory/3076-8-0x0000000074480000-0x0000000074C30000-memory.dmp

memory/3076-9-0x0000000005380000-0x0000000005390000-memory.dmp

memory/3076-10-0x0000000007D20000-0x0000000007E22000-memory.dmp

memory/3076-11-0x000000000A4C0000-0x000000000A5A8000-memory.dmp

memory/4464-13-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/4464-12-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/4464-15-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/4464-20-0x0000000001050000-0x0000000001051000-memory.dmp

memory/3076-17-0x0000000074480000-0x0000000074C30000-memory.dmp

memory/4464-16-0x0000000000400000-0x00000000004E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_82f4ae80360792467e90af85e78fecad.exe

MD5 21cbcd7e0dbd6eeb8eec1200ef03c974
SHA1 90935710302cca3d5a5c73d5e6d7c88c7cd82331
SHA256 7785ce1ba96c1fcb4c4c54205b5a989bf9652b62009ad7aadc8282d639d6e95b
SHA512 6762dc75623a893d5c34edc6da72c9a2d2e94bf14fb2d482c8af87fd048b77e80e48e293cc6d08759316f71ec06e64483740d567a0a6e6df800d166bae40bb71

C:\ProgramData\Synaptics\Synaptics.exe

MD5 af85a906922b7330b5fe5da550dba49d
SHA1 335a69a9c9567306d3670bd5909849ea0b7cddd0
SHA256 f948f1703b91b66b6c6915303cfc3914526801b14e08b41e88dbff0de751e87a
SHA512 e3a0431366e14f18bdb64bbdb28c8b9336e7c074ec01b0375497e876db379d2a174b12b9921b3653e8aee395fae232d8d2a6be4e91c975fc1aeff7e98a731089

memory/4772-85-0x0000000000580000-0x00000000005A4000-memory.dmp

memory/4772-145-0x000000001B230000-0x000000001B240000-memory.dmp

memory/1232-147-0x0000000004D30000-0x0000000004D40000-memory.dmp

memory/1232-146-0x0000000073170000-0x0000000073920000-memory.dmp

memory/4464-144-0x0000000000400000-0x00000000004E0000-memory.dmp

C:\ProgramData\Synaptics\Synaptics.exe

MD5 8b4151919630ef4f1053da82cb8f1f18
SHA1 e6df53173d483e42b9e9c0c9d701fce276d98c05
SHA256 f67eab8df26386310b0cb24772603e1708b741ea8d48d2902e0fc38e304af5af
SHA512 f69f8802418df0c31cbde97fbbcdd1c5695b20ffc4ad0f3ae4c02bc85152857582736c2f9bc8c2cbe0e05d5b31aec396901b4999ac6904d44ce36235885b44df

memory/4772-143-0x00007FFCEAC60000-0x00007FFCEB721000-memory.dmp

C:\ProgramData\Synaptics\Synaptics.exe

MD5 ed6e4e44214298d62933193037c55da7
SHA1 cfc0e652990ee978f493fe089e419e0d3848269b
SHA256 26e9d47cb85cd57e4a69e0178dd84f61eef39f129a7d9c670d228bd9f7aab0cd
SHA512 db06d08ee7a6f5b6573710f1fe58e8286f8759c2f0f3bd057558535f012ab24802df259264c2e4f121bd481bbf74299e77ef7bbe415d85fdfcf139a051fb7753

memory/4772-148-0x00007FFCEAC60000-0x00007FFCEB721000-memory.dmp

memory/1232-149-0x0000000073170000-0x0000000073920000-memory.dmp

memory/1232-150-0x0000000004D30000-0x0000000004D40000-memory.dmp

C:\ProgramData\Synaptics\Synaptics.exe

MD5 82f4ae80360792467e90af85e78fecad
SHA1 1c6c2801823fe1287638dc309661ff0a75f87623
SHA256 7bc5eb4d7e5f4a51cc18540b9ed86a607ccf9979d1d19dbfd94335c8b57c70f0
SHA512 ed428169ebc0293b917a53e59129e5f746eb3ef99bd485d6575d7d15fabd2557e40592aa5c8773ff85540f1c37745f464a9a6cdb1f6af19810e7cc2a8e0d91e6

memory/1232-156-0x0000000073170000-0x0000000073920000-memory.dmp

memory/1664-155-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/1664-158-0x00000000027A0000-0x00000000027A1000-memory.dmp

memory/1664-157-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/1624-219-0x00007FFCEAC60000-0x00007FFCEB721000-memory.dmp

memory/4944-223-0x00007FFCC9E90000-0x00007FFCC9EA0000-memory.dmp

memory/4944-222-0x00007FFD09E10000-0x00007FFD0A005000-memory.dmp

memory/4944-225-0x00007FFCC9E90000-0x00007FFCC9EA0000-memory.dmp

memory/4944-224-0x00007FFD09E10000-0x00007FFD0A005000-memory.dmp

memory/4944-227-0x00007FFD09E10000-0x00007FFD0A005000-memory.dmp

memory/4944-229-0x00007FFD09E10000-0x00007FFD0A005000-memory.dmp

memory/4944-228-0x00007FFCC9E90000-0x00007FFCC9EA0000-memory.dmp

memory/4944-231-0x00007FFD09E10000-0x00007FFD0A005000-memory.dmp

memory/4944-230-0x00007FFD09E10000-0x00007FFD0A005000-memory.dmp

memory/4944-233-0x00007FFD09E10000-0x00007FFD0A005000-memory.dmp

memory/4944-234-0x00007FFD09E10000-0x00007FFD0A005000-memory.dmp

memory/4944-235-0x00007FFD09E10000-0x00007FFD0A005000-memory.dmp

memory/4944-236-0x00007FFCC7800000-0x00007FFCC7810000-memory.dmp

memory/4944-237-0x00007FFD09E10000-0x00007FFD0A005000-memory.dmp

memory/4944-238-0x00007FFD09E10000-0x00007FFD0A005000-memory.dmp

memory/4944-232-0x00007FFD09E10000-0x00007FFD0A005000-memory.dmp

memory/4944-226-0x00007FFCC9E90000-0x00007FFCC9EA0000-memory.dmp

memory/4944-221-0x00007FFCC9E90000-0x00007FFCC9EA0000-memory.dmp

memory/1624-220-0x0000000002290000-0x00000000022A0000-memory.dmp

memory/4944-239-0x00007FFCC7800000-0x00007FFCC7810000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yOfNkJYi.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

memory/1624-243-0x00007FFCEAC60000-0x00007FFCEB721000-memory.dmp

memory/1664-252-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/1664-253-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/1664-257-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/1664-261-0x00000000027A0000-0x00000000027A1000-memory.dmp

memory/4944-262-0x00007FFD09E10000-0x00007FFD0A005000-memory.dmp

memory/1664-283-0x0000000000400000-0x00000000004E0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-31 00:20

Reported

2024-01-31 00:22

Platform

win7-20231129-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe"

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Snake Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\._cache_82f4ae80360792467e90af85e78fecad.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e210f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\._cache_82f4ae80360792467e90af85e78fecad.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\._cache_82f4ae80360792467e90af85e78fecad.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\._cache_82f4ae80360792467e90af85e78fecad.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_82f4ae80360792467e90af85e78fecad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_82f4ae80360792467e90af85e78fecad.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe
PID 2248 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe
PID 2248 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe
PID 2248 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe
PID 2248 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe
PID 2248 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe
PID 2248 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe
PID 2248 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe
PID 2248 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe
PID 2248 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe
PID 2248 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe
PID 2248 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe
PID 2616 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\Users\Admin\AppData\Local\Temp\._cache_82f4ae80360792467e90af85e78fecad.exe
PID 2616 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\Users\Admin\AppData\Local\Temp\._cache_82f4ae80360792467e90af85e78fecad.exe
PID 2616 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\Users\Admin\AppData\Local\Temp\._cache_82f4ae80360792467e90af85e78fecad.exe
PID 2616 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\Users\Admin\AppData\Local\Temp\._cache_82f4ae80360792467e90af85e78fecad.exe
PID 2616 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2616 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2616 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2616 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1888 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\._cache_82f4ae80360792467e90af85e78fecad.exe C:\Windows\system32\WerFault.exe
PID 1888 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\._cache_82f4ae80360792467e90af85e78fecad.exe C:\Windows\system32\WerFault.exe
PID 1888 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\._cache_82f4ae80360792467e90af85e78fecad.exe C:\Windows\system32\WerFault.exe
PID 2572 wrote to memory of 392 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2572 wrote to memory of 392 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2572 wrote to memory of 392 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2572 wrote to memory of 392 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2572 wrote to memory of 392 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2572 wrote to memory of 392 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2572 wrote to memory of 392 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2572 wrote to memory of 392 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2572 wrote to memory of 392 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2572 wrote to memory of 392 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2572 wrote to memory of 392 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2572 wrote to memory of 392 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 392 wrote to memory of 1100 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 392 wrote to memory of 1100 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 392 wrote to memory of 1100 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 392 wrote to memory of 1100 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 1100 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\system32\WerFault.exe
PID 1100 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\system32\WerFault.exe
PID 1100 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe

"C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe"

C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe

"C:\Users\Admin\AppData\Local\Temp\82f4ae80360792467e90af85e78fecad.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_82f4ae80360792467e90af85e78fecad.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_82f4ae80360792467e90af85e78fecad.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1888 -s 1616

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1100 -s 1528

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 8.8.8.8:53 freegeoip.app udp
US 104.21.73.97:443 freegeoip.app tcp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 ipbase.com udp
US 172.67.209.71:443 ipbase.com tcp
US 8.8.8.8:53 xred.mooo.com udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 8.8.8.8:53 freedns.afraid.org udp
US 174.128.246.100:80 freedns.afraid.org tcp
US 104.21.73.97:443 freegeoip.app tcp
US 172.67.209.71:443 ipbase.com tcp
US 8.8.8.8:53 docs.google.com udp
FR 172.217.20.206:443 docs.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 142.250.179.97:443 drive.usercontent.google.com tcp

Files

memory/2248-1-0x0000000073FD0000-0x00000000746BE000-memory.dmp

memory/2248-0-0x0000000000C90000-0x0000000000DC0000-memory.dmp

memory/2248-2-0x0000000004EC0000-0x0000000004F00000-memory.dmp

memory/2248-3-0x0000000000360000-0x0000000000378000-memory.dmp

memory/2248-4-0x0000000073FD0000-0x00000000746BE000-memory.dmp

memory/2248-5-0x0000000004EC0000-0x0000000004F00000-memory.dmp

memory/2248-6-0x0000000008060000-0x0000000008162000-memory.dmp

memory/2248-7-0x0000000008160000-0x0000000008248000-memory.dmp

memory/2616-9-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/2616-18-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/2616-17-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/2616-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2616-19-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/2248-20-0x0000000073FD0000-0x00000000746BE000-memory.dmp

memory/2616-14-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/2616-13-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/2616-21-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/2616-12-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/2616-11-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/2616-10-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/2616-8-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/2616-22-0x0000000000090000-0x0000000000091000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_82f4ae80360792467e90af85e78fecad.exe

MD5 3adc46c5b68c4c1c0d029a0f3206a614
SHA1 a05769c7527a9e0f9e5c9ead1c91a035689d3192
SHA256 db380f07b3c8ba749dd654d82bc51e20606f4d1aa60a9074938c5bc2fe4e4737
SHA512 0b012589bb83ddb682be17f7d18c6f2ffa9e1acef74c51a8c6655e9b686ce75672c168fc86833d3cf1cad0f470832e272164c8fc6cae1c48db00686e95f579ce

\Users\Admin\AppData\Local\Temp\._cache_82f4ae80360792467e90af85e78fecad.exe

MD5 21cbcd7e0dbd6eeb8eec1200ef03c974
SHA1 90935710302cca3d5a5c73d5e6d7c88c7cd82331
SHA256 7785ce1ba96c1fcb4c4c54205b5a989bf9652b62009ad7aadc8282d639d6e95b
SHA512 6762dc75623a893d5c34edc6da72c9a2d2e94bf14fb2d482c8af87fd048b77e80e48e293cc6d08759316f71ec06e64483740d567a0a6e6df800d166bae40bb71

C:\Users\Admin\AppData\Local\Temp\._cache_82f4ae80360792467e90af85e78fecad.exe

MD5 b85a136a56c28d15d489815e46ce743b
SHA1 ea6911fea1c703521beba74cc9c9b04ee2710f80
SHA256 004799c0ade9fddc9501b4df5b8af4a7e63999af70933c2bb5a859752da5d719
SHA512 7c5dc77afc33fe4ff30c244ec48c4035db4c3d648e0649e4de45ae3630d8a8d7920f51bc2be058f971aabe725883f12b939c15c3d5b2730a9e1b8772db50a7d8

C:\ProgramData\Synaptics\Synaptics.exe

MD5 d37b86ea4fbc8f2e69d08fdebcc22a1a
SHA1 088011d4bcd79ebc76a30b8cfc7d8753a400aa2f
SHA256 d1cf57a97026eb5b03b697fa792a6d52ab5e2f2f1a60814f105e360871dbe0df
SHA512 7b83b5463c356d095a55fd1c6d7571d25b6edc2997202888c5eb8ae42e2eae5fd019e2371a3bf1512b0f0c4161c2d502741e2275b245fb5dc0cf4a45408ef02e

memory/2572-42-0x0000000000EF0000-0x0000000001020000-memory.dmp

C:\ProgramData\Synaptics\Synaptics.exe

MD5 9272bb5bf563c9afa040a40943bb85b3
SHA1 ce0661f901eaa369f4cebd6d3f2b2da7adf24e18
SHA256 7e9890371736c982f41473bf163f6cee4c45e04f35b4a29c14df153a9f6a6fb6
SHA512 bf9dc54bd576e28b4159336227f7b837b965ef7ddc64d37dfc70a6905f4a0964a66b63ca4c4b5283be419d7787b6da0c77e977c84fd69d49aa11a888915aaf39

memory/1888-43-0x0000000001220000-0x0000000001244000-memory.dmp

memory/2616-40-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/1888-44-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

memory/2572-45-0x0000000072CD0000-0x00000000733BE000-memory.dmp

memory/2572-46-0x0000000004F20000-0x0000000004F60000-memory.dmp

C:\ProgramData\Synaptics\Synaptics.exe

MD5 0945803db5908e0dd2f34a5311609a53
SHA1 a9a01c110f787f17797199fd4dd6403073164903
SHA256 309495c3228f71a82c738696ed8c3096e2475b3d3082e2808ac910a1ba1ef618
SHA512 2ab133496406617456bbaa8a9cce622db2ef3a6e84d4a34e0262b9a33e9438464f4aeda896b26db1784bb277a12988318c1e93854326ab845f22fc0002382172

memory/1888-47-0x0000000000D40000-0x0000000000DC0000-memory.dmp

\ProgramData\Synaptics\Synaptics.exe

MD5 79f4d6d7d09ef0b45bfed172492b8578
SHA1 4bcfcaf7a6f09dae1af6cf751ace233576c82884
SHA256 6df68dacffebe92d496d06686257434b0daefe6ec1b92024cfd8a2863cbb94bf
SHA512 79d006e7031604d292ae63123cc4ee64794603b2d7b7992fb24a64a73b2f37e1466c15a1f7d6e473add34aaef5ae3ba9af6d604e7df14da783d38aee78e12a57

memory/1888-62-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

memory/2572-63-0x0000000072CD0000-0x00000000733BE000-memory.dmp

memory/2572-64-0x0000000004F20000-0x0000000004F60000-memory.dmp

memory/1888-65-0x0000000000D40000-0x0000000000DC0000-memory.dmp

memory/392-75-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\ProgramData\Synaptics\Synaptics.exe

MD5 82f4ae80360792467e90af85e78fecad
SHA1 1c6c2801823fe1287638dc309661ff0a75f87623
SHA256 7bc5eb4d7e5f4a51cc18540b9ed86a607ccf9979d1d19dbfd94335c8b57c70f0
SHA512 ed428169ebc0293b917a53e59129e5f746eb3ef99bd485d6575d7d15fabd2557e40592aa5c8773ff85540f1c37745f464a9a6cdb1f6af19810e7cc2a8e0d91e6

memory/392-80-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/2572-81-0x0000000072CD0000-0x00000000733BE000-memory.dmp

memory/392-85-0x0000000000080000-0x0000000000081000-memory.dmp

memory/392-82-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/392-94-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/1100-93-0x0000000000AC0000-0x0000000000AE4000-memory.dmp

memory/392-91-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/1100-95-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

memory/1100-96-0x000000001AC40000-0x000000001ACC0000-memory.dmp

memory/392-97-0x0000000000400000-0x00000000004E0000-memory.dmp

memory/392-98-0x0000000000080000-0x0000000000081000-memory.dmp

memory/1100-99-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

memory/1100-100-0x000000001AC40000-0x000000001ACC0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 93ed4b5b031dee796043925b3508aa26
SHA1 d47b9b45c18e19f233f5fd4617c658dd94b15dd0
SHA256 8c9b80f6e4ea43704fc2770c93d56527807f369b54e1545bdcd1aa76bfa2ce47
SHA512 cd2041a9e8907fe18a36158cfd2c3ecaff163217ae07ef70bbc8617863449692aad72cd831eb61ca576a2c106efef2a6db66a615909c5dd64d78dcacf9a4d4e8

C:\Users\Admin\AppData\Local\Temp\Cab3A90.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3a77e31edf7140478b67482628c6f8f6
SHA1 807a1194b20b79b5f65ca5c42a3aa577b0439239
SHA256 2ee12e03e03afbff04862590215fa99b68fe8408a8f699d4f9831373f9b15475
SHA512 0f09c03b65a239f79ce88e78f2b6b50eeb2880929c2e85d4dfbbfbd97f3542482f49879b08d2503374664b73ce456997dad0102e5ae69ec589648221b4c33544

memory/392-134-0x0000000000400000-0x00000000004E0000-memory.dmp