Malware Analysis Report

2024-10-18 23:14

Sample ID 240515-cg13pace82
Target f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe
SHA256 f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4
Tags
snakekeylogger collection execution keylogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4

Threat Level: Known bad

The file f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe was found to be: Known bad.

Malicious Activity Summary

snakekeylogger collection execution keylogger spyware stealer

Snake Keylogger payload

Snake Keylogger

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables with potential process hoocking

Detects executables referencing many email and collaboration clients. Observed in information stealers

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Checks computer location settings

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

outlook_win_path

outlook_office_path

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 02:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 02:03

Reported

2024-05-15 02:06

Platform

win7-20231129-en

Max time kernel

117s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe"

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Snake Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many email and collaboration clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables with potential process hoocking

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e210f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2268 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2268 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2268 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2268 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2268 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2268 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2268 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2268 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2268 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Windows\SysWOW64\schtasks.exe
PID 2268 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Windows\SysWOW64\schtasks.exe
PID 2268 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Windows\SysWOW64\schtasks.exe
PID 2268 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Windows\SysWOW64\schtasks.exe
PID 2268 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe
PID 2268 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe
PID 2268 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe
PID 2268 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe
PID 2268 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe
PID 2268 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe
PID 2268 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe
PID 2268 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe
PID 2268 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe
PID 2268 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe
PID 2268 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe
PID 2268 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe
PID 2268 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe
PID 2268 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe
PID 2268 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe
PID 2268 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe
PID 2268 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe

"C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\EDqfTdWmvf.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EDqfTdWmvf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2961.tmp"

C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe

"C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe"

C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe

"C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe"

C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe

"C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
DE 193.122.6.168:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 scratchdreams.tk udp
US 172.67.169.18:443 scratchdreams.tk tcp

Files

memory/2268-0-0x0000000073FDE000-0x0000000073FDF000-memory.dmp

memory/2268-1-0x0000000000020000-0x00000000000BA000-memory.dmp

memory/2268-2-0x0000000073FD0000-0x00000000746BE000-memory.dmp

memory/2268-3-0x0000000000670000-0x0000000000690000-memory.dmp

memory/2268-4-0x00000000006A0000-0x00000000006B0000-memory.dmp

memory/2268-5-0x0000000000730000-0x0000000000746000-memory.dmp

memory/2268-6-0x00000000052E0000-0x0000000005348000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZGRUW12CAC5SXTB9U8F5.temp

MD5 5f09defbb8cb59cda309c0e04a62e8b0
SHA1 0ba61390d5a2850548c3825911b021a29d90a9a0
SHA256 cf7f78363dc7dd15ca55723c374aa31a0bf3547d1b0685427190808c66ffd705
SHA512 0f0e55e5f6ca2ac5559c36cbb4cba9a215db938db2f9d30595486d94382cab20744fd4af56159646bdc8384a30db4df1fb107ef9291d471c68e16f05935d2cca

C:\Users\Admin\AppData\Local\Temp\tmp2961.tmp

MD5 d0d01c2860a1e16c2e51e61c001202e0
SHA1 bb5673ab505bee8d2324cee249199f7e2166c943
SHA256 9e8219e2363947d39f8ca13660c7e892020427cb5743d21c912b7bd116bc2245
SHA512 e463a421298554e9e2102ca67b90e02d1c5546c0ac4ae4433230e55c1fc3e217e98ed060169c474f610120b2e17e101fe51b85a74d07809eb140ec83c0d43671

memory/2628-23-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2628-21-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2628-31-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2628-29-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2628-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2628-28-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2628-19-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2628-25-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2268-32-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 02:03

Reported

2024-05-15 02:06

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe"

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Snake Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing many email and collaboration clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables with potential process hoocking

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 212 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 212 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 212 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 212 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 212 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 212 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 212 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Windows\SysWOW64\schtasks.exe
PID 212 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Windows\SysWOW64\schtasks.exe
PID 212 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Windows\SysWOW64\schtasks.exe
PID 212 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe
PID 212 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe
PID 212 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe
PID 212 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe
PID 212 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe
PID 212 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe
PID 212 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe
PID 212 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe
PID 212 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe
PID 212 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe
PID 212 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe

"C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\EDqfTdWmvf.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EDqfTdWmvf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp760B.tmp"

C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe

"C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe"

C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe

"C:\Users\Admin\AppData\Local\Temp\f815285cda1f471dc22b3c4582d1c5fad00bacc7c5e76a08f289d7fae6a35bd4.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
US 158.101.44.242:80 checkip.dyndns.org tcp
US 8.8.8.8:53 242.44.101.158.in-addr.arpa udp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 152.67.21.104.in-addr.arpa udp
US 8.8.8.8:53 scratchdreams.tk udp
US 172.67.169.18:443 scratchdreams.tk tcp
US 8.8.8.8:53 18.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

memory/212-0-0x000000007464E000-0x000000007464F000-memory.dmp

memory/212-1-0x0000000000CC0000-0x0000000000D5A000-memory.dmp

memory/212-2-0x0000000005D50000-0x00000000062F4000-memory.dmp

memory/212-3-0x00000000057A0000-0x0000000005832000-memory.dmp

memory/212-4-0x0000000005740000-0x000000000574A000-memory.dmp

memory/212-5-0x0000000074640000-0x0000000074DF0000-memory.dmp

memory/212-6-0x0000000005B70000-0x0000000005B90000-memory.dmp

memory/212-7-0x0000000005CC0000-0x0000000005CD0000-memory.dmp

memory/212-8-0x0000000005CD0000-0x0000000005CE6000-memory.dmp

memory/212-9-0x0000000007110000-0x0000000007178000-memory.dmp

memory/212-10-0x0000000009770000-0x000000000980C000-memory.dmp

memory/440-15-0x0000000002B10000-0x0000000002B46000-memory.dmp

memory/440-16-0x0000000074640000-0x0000000074DF0000-memory.dmp

memory/440-17-0x00000000055C0000-0x0000000005BE8000-memory.dmp

memory/5096-18-0x0000000074640000-0x0000000074DF0000-memory.dmp

memory/440-19-0x0000000074640000-0x0000000074DF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp760B.tmp

MD5 516d5d6bddce066b1ae971fccaf11880
SHA1 4da4485a33fbdd8927cd677bf0f16818dd012217
SHA256 77de518f161c38c78a0fd91112c4a10224610a6458c59f3143c08f6c05317687
SHA512 fa44bd5428ad43c1e47f6527f3507addeab1304215a668c5d29c60df4cda17969ed020ff370042daad30ee9d6857020cf6cd1a7b9f9cd95ea6153f0c4e7d15c9

memory/5096-21-0x0000000074640000-0x0000000074DF0000-memory.dmp

memory/3740-22-0x0000000000400000-0x0000000000426000-memory.dmp

memory/440-25-0x0000000005BF0000-0x0000000005C56000-memory.dmp

memory/440-24-0x0000000005500000-0x0000000005566000-memory.dmp

memory/440-23-0x0000000005460000-0x0000000005482000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fqxaoelz.l1g.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/212-45-0x0000000074640000-0x0000000074DF0000-memory.dmp

memory/440-27-0x0000000005DF0000-0x0000000006144000-memory.dmp

memory/440-47-0x0000000006430000-0x000000000644E000-memory.dmp

memory/440-48-0x0000000006A10000-0x0000000006A5C000-memory.dmp

memory/440-50-0x0000000070DB0000-0x0000000070DFC000-memory.dmp

memory/5096-61-0x0000000070DB0000-0x0000000070DFC000-memory.dmp

memory/440-60-0x0000000006980000-0x000000000699E000-memory.dmp

memory/5096-71-0x0000000007650000-0x00000000076F3000-memory.dmp

memory/440-49-0x00000000073F0000-0x0000000007422000-memory.dmp

memory/5096-72-0x0000000007D80000-0x00000000083FA000-memory.dmp

memory/5096-73-0x0000000007720000-0x000000000773A000-memory.dmp

memory/5096-74-0x0000000007790000-0x000000000779A000-memory.dmp

memory/5096-75-0x00000000079A0000-0x0000000007A36000-memory.dmp

memory/440-76-0x0000000007950000-0x0000000007961000-memory.dmp

memory/5096-77-0x0000000007950000-0x000000000795E000-memory.dmp

memory/5096-78-0x0000000007960000-0x0000000007974000-memory.dmp

memory/440-79-0x0000000007A90000-0x0000000007AAA000-memory.dmp

memory/5096-80-0x0000000007A40000-0x0000000007A48000-memory.dmp

memory/5096-87-0x0000000074640000-0x0000000074DF0000-memory.dmp

memory/440-86-0x0000000074640000-0x0000000074DF0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 92375d72d5f37e3f12221dfbd5537469
SHA1 7f1f6ef317b89bbb63ff0e9d015ab19d26cfc138
SHA256 b10ea9ad5c9f310195cd7caed25ad4e9fa86b6cada9d4417a29b7a9eb6444409
SHA512 0e8c910d9082d5ae9b8a086d48928bb5c688a0cc0c3dc61af9c9f85465f32ed8ebc5fc9dfca7a2dabe947b75e148ff2820c9b75e14d204204c9bf1abd164bdfc

memory/3740-88-0x0000000006A40000-0x0000000006A90000-memory.dmp

memory/3740-89-0x0000000006C60000-0x0000000006E22000-memory.dmp