Malware Analysis Report

2024-10-18 23:14

Sample ID 240508-vd6swaeb7z
Target z26MB263350412AE.exe
SHA256 4e3eb1a503d160b9cd151c523b34ba05c7bcbd79974a0a46fa092569db8bf2a7
Tags
snakekeylogger collection execution keylogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4e3eb1a503d160b9cd151c523b34ba05c7bcbd79974a0a46fa092569db8bf2a7

Threat Level: Known bad

The file z26MB263350412AE.exe was found to be: Known bad.

Malicious Activity Summary

snakekeylogger collection execution keylogger spyware stealer

Snake Keylogger

Snake Keylogger payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

outlook_office_path

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

outlook_win_path

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-08 16:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-08 16:53

Reported

2024-05-08 16:56

Platform

win7-20240215-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe"

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Snake Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2208 set thread context of 2540 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Windows\SysWOW64\schtasks.exe
PID 2208 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Windows\SysWOW64\schtasks.exe
PID 2208 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Windows\SysWOW64\schtasks.exe
PID 2208 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Windows\SysWOW64\schtasks.exe
PID 2208 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe
PID 2208 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe
PID 2208 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe
PID 2208 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe
PID 2208 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe
PID 2208 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe
PID 2208 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe
PID 2208 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe
PID 2208 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe

"C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KYmWnLVcE.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KYmWnLVcE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3FED.tmp"

C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe

"C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 172.67.177.134:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 scratchdreams.tk udp
US 172.67.169.18:443 scratchdreams.tk tcp
US 8.8.8.8:53 mail.speedhouseoman.com udp
GB 149.255.62.32:587 mail.speedhouseoman.com tcp

Files

memory/2208-0-0x0000000074A7E000-0x0000000074A7F000-memory.dmp

memory/2208-1-0x0000000000210000-0x00000000002B6000-memory.dmp

memory/2208-2-0x0000000074A70000-0x000000007515E000-memory.dmp

memory/2208-3-0x0000000000380000-0x000000000039C000-memory.dmp

memory/2208-4-0x0000000000410000-0x000000000041E000-memory.dmp

memory/2208-5-0x0000000000520000-0x0000000000536000-memory.dmp

memory/2208-6-0x0000000074A70000-0x000000007515E000-memory.dmp

memory/2208-7-0x00000000055F0000-0x000000000565C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3FED.tmp

MD5 839da55b1d40544133698ce97354f7b5
SHA1 f267576dfe53325a3487344a3bb2dc15120df8b4
SHA256 7e2c1f76ee6f96ee74b5fcf931b1c5ab1e7ea08c8bd4d83e6f358eeda9a9f9b5
SHA512 69fd8efc77a4141f15543563d8d4a770398f554cc10b7eb3136b265e2379a811f2b4e621ecda50efefb67f86caf5744bcd78c700a05c9aaaa8ca73b48818b024

memory/2540-15-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2540-19-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2540-27-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2540-25-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2540-24-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2540-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2540-21-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2540-17-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2208-28-0x0000000074A70000-0x000000007515E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-08 16:53

Reported

2024-05-08 16:56

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe"

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Snake Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1164 set thread context of 436 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1164 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1164 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1164 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1164 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Windows\SysWOW64\schtasks.exe
PID 1164 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Windows\SysWOW64\schtasks.exe
PID 1164 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Windows\SysWOW64\schtasks.exe
PID 1164 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe
PID 1164 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe
PID 1164 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe
PID 1164 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe
PID 1164 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe
PID 1164 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe
PID 1164 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe
PID 1164 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe

"C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KYmWnLVcE.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KYmWnLVcE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7791.tmp"

C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe

"C:\Users\Admin\AppData\Local\Temp\z26MB263350412AE.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
DE 193.122.6.168:80 checkip.dyndns.org tcp
US 8.8.8.8:53 168.6.122.193.in-addr.arpa udp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 152.67.21.104.in-addr.arpa udp
US 8.8.8.8:53 scratchdreams.tk udp
US 172.67.169.18:443 scratchdreams.tk tcp
US 8.8.8.8:53 18.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 mail.speedhouseoman.com udp
GB 149.255.62.32:587 mail.speedhouseoman.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 32.62.255.149.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/1164-0-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

memory/1164-1-0x0000000000C80000-0x0000000000D26000-memory.dmp

memory/1164-2-0x0000000005CE0000-0x0000000006284000-memory.dmp

memory/1164-3-0x0000000005730000-0x00000000057C2000-memory.dmp

memory/1164-4-0x00000000056E0000-0x00000000056EA000-memory.dmp

memory/1164-5-0x0000000005990000-0x0000000005A2C000-memory.dmp

memory/1164-6-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/1164-7-0x0000000006490000-0x00000000064AC000-memory.dmp

memory/1164-8-0x00000000064C0000-0x00000000064CE000-memory.dmp

memory/1164-9-0x00000000064D0000-0x00000000064E6000-memory.dmp

memory/1164-10-0x0000000007710000-0x000000000777C000-memory.dmp

memory/2128-15-0x0000000004500000-0x0000000004536000-memory.dmp

memory/2128-16-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/2128-17-0x0000000004BD0000-0x00000000051F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7791.tmp

MD5 07365b7245d440b507fe0db7fb894544
SHA1 0a78296afa5114f71f79ed5f3c02cc973888157e
SHA256 7ee9c25b1f46c3ad7e9811311f19aca157976a553b35870614e42b2ccd45425c
SHA512 caa7a423d248e7744d1836cfb1d5dffcb4b236c49c8411e36fd1a7f1f9c1140ff46123d82fff89a7fac4d73b1073d581b08232c275795fda59957b22938772e4

memory/2128-20-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/2128-18-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/2128-21-0x00000000049F0000-0x0000000004A12000-memory.dmp

memory/2128-23-0x0000000005370000-0x00000000053D6000-memory.dmp

memory/436-24-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2128-22-0x0000000004A90000-0x0000000004AF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b0dmfcfj.xmg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z26MB263350412AE.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/2128-36-0x00000000054E0000-0x0000000005834000-memory.dmp

memory/1164-38-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/436-37-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/2128-39-0x0000000005AB0000-0x0000000005ACE000-memory.dmp

memory/2128-40-0x0000000005AF0000-0x0000000005B3C000-memory.dmp

memory/2128-41-0x0000000006A90000-0x0000000006AC2000-memory.dmp

memory/2128-42-0x00000000752F0000-0x000000007533C000-memory.dmp

memory/2128-52-0x0000000006A50000-0x0000000006A6E000-memory.dmp

memory/2128-53-0x0000000006AD0000-0x0000000006B73000-memory.dmp

memory/2128-54-0x0000000007420000-0x0000000007A9A000-memory.dmp

memory/2128-55-0x0000000006DE0000-0x0000000006DFA000-memory.dmp

memory/2128-56-0x0000000006E50000-0x0000000006E5A000-memory.dmp

memory/2128-57-0x0000000007060000-0x00000000070F6000-memory.dmp

memory/2128-58-0x0000000006FE0000-0x0000000006FF1000-memory.dmp

memory/2128-59-0x0000000007010000-0x000000000701E000-memory.dmp

memory/2128-60-0x0000000007020000-0x0000000007034000-memory.dmp

memory/2128-61-0x0000000007120000-0x000000000713A000-memory.dmp

memory/2128-62-0x0000000007100000-0x0000000007108000-memory.dmp

memory/2128-64-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/436-65-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/436-66-0x0000000006A40000-0x0000000006A90000-memory.dmp

memory/436-67-0x0000000006C60000-0x0000000006E22000-memory.dmp

memory/436-68-0x0000000007360000-0x000000000788C000-memory.dmp