snakekeylogger | 4d89b6fc60ffaa84af321fb2120185994a22605d80d175d71c5780e753d3ec8d

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2024 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ref_0120_0122.vbe
Size

11KB
MD5

f2ba7d3b3cdabd02dbcccb1174088b1d
SHA1

dbc02a29b2b042af0b988c698be5be7885e127c1
SHA256

4d89b6fc60ffaa84af321fb2120185994a22605d80d175d71c5780e753d3ec8d
SHA512

876f7a01b9abbaaf7dff88e16a362eafa5ba13b9031c1d6cfef195b426e89c4a287c26d717320886a225d7904aca3635bf3a6a8f2286a5d89bfadb0b330da154
SSDEEP

192:lwZ1ZSTlbLJya3RGALtUtNG7YkGEY9CNsRXX1SAkt0pdzea1iGDcgjK:6rITlbz3L5UtNGWEYCNsRXX1medzL1iZ

Score

10^/10

snakekeylogger discovery keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
bisttro.shop
Port:
587
Username:
[email protected]
Password:
W79cDo2h05Iv
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/808-79-0x0000000000C00000-0x0000000000C26000-memory.dmp	family_snakekeylogger

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	4548	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
66	checkip.dyndns.org

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1824 set thread context of 808	1824	powershell.exe	102
PID 2392 set thread context of 4396	2392	powershell.exe	113
PID 3976 set thread context of 4916	3976	powershell.exe	121
PID 1680 set thread context of 3104	1680	powershell.exe	130

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe

Enumerates system info in registry 2 TTPs 17 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3624	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1824	powershell.exe
1824	powershell.exe
2536	powershell.exe
2536	powershell.exe
2536	powershell.exe
1824	powershell.exe
1824	powershell.exe
808	MSBuild.exe
2392	powershell.exe
2392	powershell.exe
2320	powershell.exe
2320	powershell.exe
2392	powershell.exe
4396	MSBuild.exe
3976	powershell.exe
3976	powershell.exe
3976	powershell.exe
4916	MSBuild.exe
1680	powershell.exe
1680	powershell.exe
5100	powershell.exe
5100	powershell.exe
3104	MSBuild.exe
1680	powershell.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	808	MSBuild.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	4396	MSBuild.exe
Token: SeDebugPrivilege	3976	powershell.exe
Token: SeDebugPrivilege	4916	MSBuild.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	5100	powershell.exe
Token: SeDebugPrivilege	3104	MSBuild.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
3624	EXCEL.EXE
3624	EXCEL.EXE
3624	EXCEL.EXE
3624	EXCEL.EXE
3624	EXCEL.EXE
3624	EXCEL.EXE
3624	EXCEL.EXE
3624	EXCEL.EXE
3624	EXCEL.EXE
3624	EXCEL.EXE
3624	EXCEL.EXE
3624	EXCEL.EXE
3624	EXCEL.EXE
3624	EXCEL.EXE
3624	EXCEL.EXE
3624	EXCEL.EXE
3624	EXCEL.EXE
3624	EXCEL.EXE
3624	EXCEL.EXE
3624	EXCEL.EXE
3624	EXCEL.EXE
3624	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 1824	4584	WScript.exe	92
PID 4584 wrote to memory of 1824	4584	WScript.exe	92
PID 4584 wrote to memory of 2536	4584	WScript.exe	100
PID 4584 wrote to memory of 2536	4584	WScript.exe	100
PID 1824 wrote to memory of 808	1824	powershell.exe	102
PID 1824 wrote to memory of 808	1824	powershell.exe	102
PID 1824 wrote to memory of 808	1824	powershell.exe	102
PID 1824 wrote to memory of 808	1824	powershell.exe	102
PID 1824 wrote to memory of 808	1824	powershell.exe	102
PID 1824 wrote to memory of 808	1824	powershell.exe	102
PID 1824 wrote to memory of 808	1824	powershell.exe	102
PID 1824 wrote to memory of 808	1824	powershell.exe	102
PID 2536 wrote to memory of 2232	2536	powershell.exe	103
PID 2536 wrote to memory of 2232	2536	powershell.exe	103
PID 1824 wrote to memory of 1972	1824	powershell.exe	104
PID 1824 wrote to memory of 1972	1824	powershell.exe	104
PID 808 wrote to memory of 2952	808	MSBuild.exe	106
PID 808 wrote to memory of 2952	808	MSBuild.exe	106
PID 808 wrote to memory of 2952	808	MSBuild.exe	106
PID 2952 wrote to memory of 672	2952	cmd.exe	108
PID 2952 wrote to memory of 672	2952	cmd.exe	108
PID 2952 wrote to memory of 672	2952	cmd.exe	108
PID 4584 wrote to memory of 2392	4584	WScript.exe	109
PID 4584 wrote to memory of 2392	4584	WScript.exe	109
PID 4584 wrote to memory of 2320	4584	WScript.exe	111
PID 4584 wrote to memory of 2320	4584	WScript.exe	111
PID 2392 wrote to memory of 4396	2392	powershell.exe	113
PID 2392 wrote to memory of 4396	2392	powershell.exe	113
PID 2392 wrote to memory of 4396	2392	powershell.exe	113
PID 2392 wrote to memory of 4396	2392	powershell.exe	113
PID 2392 wrote to memory of 4396	2392	powershell.exe	113
PID 2392 wrote to memory of 4396	2392	powershell.exe	113
PID 2392 wrote to memory of 4396	2392	powershell.exe	113
PID 2392 wrote to memory of 4396	2392	powershell.exe	113
PID 2392 wrote to memory of 2044	2392	powershell.exe	114
PID 2392 wrote to memory of 2044	2392	powershell.exe	114
PID 2320 wrote to memory of 5100	2320	powershell.exe	115
PID 2320 wrote to memory of 5100	2320	powershell.exe	115
PID 4396 wrote to memory of 3008	4396	MSBuild.exe	116
PID 4396 wrote to memory of 3008	4396	MSBuild.exe	116
PID 4396 wrote to memory of 3008	4396	MSBuild.exe	116
PID 3008 wrote to memory of 4812	3008	cmd.exe	118
PID 3008 wrote to memory of 4812	3008	cmd.exe	118
PID 3008 wrote to memory of 4812	3008	cmd.exe	118
PID 4584 wrote to memory of 3976	4584	WScript.exe	119
PID 4584 wrote to memory of 3976	4584	WScript.exe	119
PID 3976 wrote to memory of 4916	3976	powershell.exe	121
PID 3976 wrote to memory of 4916	3976	powershell.exe	121
PID 3976 wrote to memory of 4916	3976	powershell.exe	121
PID 3976 wrote to memory of 4916	3976	powershell.exe	121
PID 3976 wrote to memory of 4916	3976	powershell.exe	121
PID 3976 wrote to memory of 4916	3976	powershell.exe	121
PID 3976 wrote to memory of 4916	3976	powershell.exe	121
PID 3976 wrote to memory of 4916	3976	powershell.exe	121
PID 3976 wrote to memory of 1396	3976	powershell.exe	122
PID 3976 wrote to memory of 1396	3976	powershell.exe	122
PID 4916 wrote to memory of 3172	4916	MSBuild.exe	123
PID 4916 wrote to memory of 3172	4916	MSBuild.exe	123
PID 4916 wrote to memory of 3172	4916	MSBuild.exe	123
PID 3172 wrote to memory of 2976	3172	cmd.exe	125
PID 3172 wrote to memory of 2976	3172	cmd.exe	125
PID 3172 wrote to memory of 2976	3172	cmd.exe	125
PID 4584 wrote to memory of 1680	4584	WScript.exe	126
PID 4584 wrote to memory of 1680	4584	WScript.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ref_0120_0122.vbe"
1⤵
- Blocklisted process makes network request
PID:4548

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\nerIVJXTbrPkqwd.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:808
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:672
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1824" "2856" "2796" "2860" "0" "0" "2864" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:1972
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2536" "2680" "2608" "2684" "0" "0" "2688" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:2232
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4396
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4812
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2392" "2720" "2656" "2724" "0" "0" "2728" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:2044
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2320" "2720" "2648" "2724" "0" "0" "2728" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:5100
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3172
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3976" "2724" "2396" "2728" "0" "0" "2732" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:1396
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3104
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3152
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3780
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1680" "2740" "2672" "2744" "0" "0" "2748" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:5024
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5100
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5100" "2768" "2692" "2772" "0" "0" "2776" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:4192

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\SearchRegister.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3f01549ee3e4c18244797530b588dad9

SHA1
3e87863fc06995fe4b741357c68931221d6cc0b9

SHA256
36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

SHA512
73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Filesize
1KB

MD5
3668d81576650b0fe5ec94229737504a

SHA1
ab4d7a47e6870d67ad9373aaeb2d3c95b4282a15

SHA256
9e465fac2511971cffa834b8d51f56cbb65202b68fab3e054b483c46460155c8

SHA512
24625f6d057e6c329b7d2b5c689d7cd7fd3c51b35fa83662203255d496ac1b43b7d15c02c6ada5d5f343c9bf9d2efdb56a60e1585a564788b0eea925067c7a4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
3KB

MD5
6e809f4c18466a0a63db912fb7a2441c

SHA1
d88653e1426406c3175c3fee38d55cd94a1ec5b1

SHA256
2a684a0f36716559ec3fef1d5cdcd0fa7d48cd59e40457b7adc4d7b1f9a0c9fa

SHA512
b47bb55f42d8930277dcab4d3850aba5b1f40b794f07cf1a0858b7280dc8bab243f445c50d2a45fa183c8f664c4864f476d4565c85380fc10cf45fe53d16100c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
d9bfbdfd06a65441f12705c441d6918f

SHA1
7217db9396a79b145524c5ce6ce34a8978532b60

SHA256
14e7383d905e72b1d065d1fa6abf8bcb42bdac9916ef5257c3b4150d0a6a6eb3

SHA512
ec1c2817de2abc7c01a44e931f8acfbbb8430f5172f6cafecc4cf121d8903c5e49dfd2a87e427e98f39ccebf253fcaea721727c15bd93dbc177b58b56a3cbaf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
3KB

MD5
57d1f3c12c9a068bfeb6a5447a22e167

SHA1
f8f1e0e4bd5626fb341812862257d3fc31cf3146

SHA256
6dfdea062535b84b139b5970a94db00766af01297979b3328728aa20e2da4833

SHA512
06aec1ed4a896da5d14347ebb02d363671ebb9a0fedcc02b3883123b39446eb5dd381bb2fefdb70049df14b926a205e9873a43d0906c4c65d0b84a1ebf1b025b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
a750d5580aa533aa633fc00348c11a9c

SHA1
daa848cb82b819f79cc1b2e2325872ac4569ac65

SHA256
c1972100f2bef1fd1aad9c8308b765b59e8a4b397249475399788bce72196fb0

SHA512
386c496d4e2d1ad3fe3b75d94813449b0b4b205bdfabacbcf4c741632033dde36b566812a6157ba039bef05d9caedb85aacc40cbcf198cbd257512fcce00f467

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
435B

MD5
efa26474ca6aaeffe63cb937709a04c0

SHA1
2b09ba354474978024843e813afcb54a44557934

SHA256
024b750900ddeb9b7e9407d3cb1d5058f699d3b0486006d1371125dcd8a71b3a

SHA512
3ff7855895ae37fc7407e57125096a227b7a90a1c8c8c4d51a43f0b1d91be73f4dc16ab0db9fa1b9b427c98c02effa9f1243ef9eb2c634942850061287801049

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dnqt1ere.2nh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
329B

MD5
ec128cb26fdf273c06138ae1e67cd353

SHA1
f1a4011e8cca17bfdce81fd844c5e7ae8b354463

SHA256
109db33c35e30e0108c621816a3bdf6b7779c5140151987b331dd2087489c053

SHA512
f155e2aa63e2576709b0ab33eac066c826c45583920f7060b6801930539d6447e04db2bdc39d9b059d4435899fb295c9209b81985633c6f20cf797819d51ec04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Filesize
252B

MD5
fe8c809a1aae7fb8ae8ff6dccb21d7c3

SHA1
e886b06370a039f4fe4b8596e836f22124a6af80

SHA256
84c14dd26126f393b06fb62438f48baf6358f003ec3100b0840de3fb2d5cabe8

SHA512
85dd0f0f240eca5094863374ea2e42145d58aaa08fb2807d4215aee6df2bab4a909dd82138d43585f7043db4f39f0d204d1eb00e7cfabb740944dbde18d62882

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Filesize
504B

MD5
76f9e2356d77e9450569350256fc1c00

SHA1
cbdb84fc7a8af902d7c48515bb24fd05f19fc536

SHA256
3ad06244ec59eabc524d0b5af370d05423ae179c50b66887f9798fb323fa2841

SHA512
4073746345113e806cf7eea6446412eedbc589b9e4a246fe751b88df86151a5c4be2e17885365261d09649fb43fb2e1c7c73950bf1a045da06ecb727d09a7d31

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Filesize
756B

MD5
2b4499ef082b35ab4620793e76494327

SHA1
c7d23dd28d29b14ba9629ef59e634cd0bda3ee12

SHA256
6be3012d26fa03a9c49bfbe2e2a3947ac3a216e5dd3ccc4ad8600925c25086db

SHA512
3be7bcf5cfe0e782741c2bad5b91824a5a915a27c590502425718db113b380c5c61e05e277082be237cdccc848b1b2e811725c8c8dd1635d046fad45413b1a93

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
37ed10f55ea2f9be8260644c0e5f2cfd

SHA1
dc2dfdc18ba436f52b926ae78bf0e558d77b13e2

SHA256
f24957b2b3235032a9e5f366cd837cc276a52150d75ca3be04185017e52267fc

SHA512
d60ab62b0367d37922eca14d12b40b1c40eb9780f2fef45e46021565b28b087e3bed1e4b00fb1d6ab47d47378e4c9b175b4b870326bdd78c01e70f7046c57c1f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
d9074a6e554c95557f533ee30195908f

SHA1
c4db7bfe9bcc4c595ab93c2b25d4ec0cc13fa828

SHA256
d178eacb22eb856459e650afb450f136d62c46c340716717fe9b1f9282e27cd9

SHA512
e4db80cdc7e6f63a8257d066f1a53f9325cfb0c9fda3c635ab35fc9375ab228204c8cea84b83c5c10e4ffefbba4ecbcc8148d6869ac40a4071de550ef682d2c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
6cc4f268542e312af5ef0fffdbee2292

SHA1
98989b8075db099286fa1f5acf89baec85d841e9

SHA256
1dd95019730b6c9a812dde3fb8db78f52eba9a1ce517d679e58affbf7a1479fd

SHA512
5ee3720193fa39e1c9dfc5e64ae950b63af789f8a897d57fdaf7e53cce3d04369b160b40574f1879318d9efadffdce6a6cc5893b5225f759b7f958c63429f464

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
51ebb47227207f742bf45acc3e0a8f2f

SHA1
9391a16d9d9dca99af20aa2f17f4eb5c537100d1

SHA256
8bf8c041d38c8c859f301d61ef8fbb78cc9c7cd18a8154685ebcb931d303af79

SHA512
e8efe8125e6e151debf8cc4c2971cddcc37f6eb1c9a55af147a9a4fd7d79186ec62e49fa8fb592c009d8ec9acb83431c0b19f2087a18f33c6233b864b83755f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
b04e465ae9b2199a1e4e0b7ada0faedb

SHA1
c13433ccdb8874d33e4203f9e026a5e6fa805658

SHA256
14c85fafc929e62a2492ec9bcd5aee91919549c216d1c2134df31a89cbfb9c93

SHA512
7b209d944c7fff6628d5d74afe410c2e6a3d66046fc2722c5932ec8054ce17e77d850f5b6050b315f63c541dbe0dcd805b9b8386c07d8c5ead0f4f25a3edd58e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
391435af92a2118f64acc7d6163ef22a

SHA1
8553c73309fbfdd95154cba83ac0e9988d349fc1

SHA256
af77e4dde15a1a80daafe16baff37a2ac411b6a4835d27076990d626973f482f

SHA512
4a14402e9c110745594a45a7890d77c219a90c8649e344f801cbd943631278c057930167c345c9f54a753f91966d33f641a858c7418d21f55ba3a9963a77ec3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
304dbdf85621050c622742a9a072b16c

SHA1
10876724169505cb14395316ebbb7dec8440e7d8

SHA256
a1735030e90264e582ee1bf4e7b84fed58833e3361ce6dbf416b576cdf33ce0c

SHA512
047a5e7f29c8802bac96f122150ba8544ad0266f34e568403b3a7ab5b69926c9042b5ea377db61320974744b945cca49402fa429f485f82b26ab162cab05f98b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
680B

MD5
de004ae7a2dc5ff8151d4341f2a12cc4

SHA1
5d5867e345533fcfce15f2b56cb82dbcdb5eca75

SHA256
c063a7fc62e96a9953cf7963cec9f2cc3d2c59eb7ab8d0b440887f98c24a5ad6

SHA512
631ae34f46c7b2f399c1e466df9e9111517d81de8e0fcc30b64b0e4eb5055ddfd5a71509a6437d8d51f0267efeb5511b1ec3e6fc20eee84a3b687401e6977788

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
f065142719f1f25a3037d7cce95494a7

SHA1
c4f1b57b78ac947709072c2284250f07d1e30f2a

SHA256
8c3166a0e36fd657fb96e52e5b849483b543e7fbe2fc6feed7d798a8fe6e66c4

SHA512
07bec64d52ccaca6423fe683af3296ab813d4b3ab136fe484c863d15224e77d3167909a67422f7fb4236dca588785c714f8bd14055b03902c5e964720002ed73

Download Submit
C:\Users\Admin\AppData\Roaming\nerIVJXTbrPkqwd.vbs

Filesize
2KB

MD5
4ab3e87d9d3e6cf50f9787e2085fa8c7

SHA1
5203b0409105410903b2ec612684e1c1d3c5d7c4

SHA256
4f42c1f4f7fb9a5813e1710b80f7841b71ee5fff65255dc20f1c8b3eba26574b

SHA512
c3999a17ac473ed314a06625bdbca4249198ba9b7e266fefe487d976021c2ca2aa7b58ffa6d89459bb4904713a1c71bcc82e3b70481a28638debc34ddee1c5fd

Download Submit
memory/808-79-0x0000000000C00000-0x0000000000C26000-memory.dmp

Filesize
152KB

Download
memory/808-98-0x00000000058B0000-0x0000000005E54000-memory.dmp

Filesize
5.6MB

Download
memory/808-99-0x0000000005230000-0x00000000052CC000-memory.dmp

Filesize
624KB

Download
memory/1824-69-0x000002C7D1030000-0x000002C7D103A000-memory.dmp

Filesize
40KB

Download
memory/1824-62-0x000002C7D1020000-0x000002C7D102A000-memory.dmp

Filesize
40KB

Download
memory/1824-15-0x000002C7D1120000-0x000002C7D1196000-memory.dmp

Filesize
472KB

Download
memory/1824-14-0x000002C7D1050000-0x000002C7D1094000-memory.dmp

Filesize
272KB

Download
memory/1824-13-0x000002C7B65A0000-0x000002C7B65C2000-memory.dmp

Filesize
136KB

Download
memory/3624-22-0x00007FFA8C940000-0x00007FFA8C950000-memory.dmp

Filesize
64KB

Download
memory/3624-21-0x00007FFA8C940000-0x00007FFA8C950000-memory.dmp

Filesize
64KB

Download
memory/3624-19-0x00007FFA8F030000-0x00007FFA8F040000-memory.dmp

Filesize
64KB

Download
memory/3624-20-0x00007FFA8F030000-0x00007FFA8F040000-memory.dmp

Filesize
64KB

Download
memory/3624-17-0x00007FFA8F030000-0x00007FFA8F040000-memory.dmp

Filesize
64KB

Download
memory/3624-18-0x00007FFA8F030000-0x00007FFA8F040000-memory.dmp

Filesize
64KB

Download
memory/3624-16-0x00007FFA8F030000-0x00007FFA8F040000-memory.dmp

Filesize
64KB

Download