agenttesla | dfa31b84bc2fc462da90b7f1a13c30ef92965ceeb06db45879a5443ea0d99920

Resubmissions

16/12/2022, 08:37

221216-kjcrwaed77 10

16/12/2022, 08:22

221216-j92cgshb8y 10

Analysis

max time kernel
690s
max time network
693s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
16/12/2022, 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Scan20221216192254.exe
Size

1.4MB
MD5

876f5f878fc3f716cd877443ee68f7e3
SHA1

35a223eadf77e713de0f6a7951fdb32ec5a48973
SHA256

dfa31b84bc2fc462da90b7f1a13c30ef92965ceeb06db45879a5443ea0d99920
SHA512

3bc2f3a97613d054261086d0c1e83dab9237717142ac7d3ffe91ca5e918f73f0cf57b53e86aa1b4170c5bc4794c661fd079217d9e8150f7a942dde4e43dc6e83
SSDEEP

12288:OixF+mYOpvTDg1Hoz+JE2QsO4BeylBqN6hFfX05M1pDUQDoC+v5c+JQZ24146/PQ:rCEHsOzj4j85M1hUQDAxzJX4vgkW

Score

10^/10

agenttesla remcos thirdclients collection keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

remcos

Botnet

ThirdClients

79.134.225.97:1558

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
appsync.exe
copy_folder
Appsync
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Appsync
keylog_path
%AppData%
mouse_option
false
mutex
Appsync-00ARH2
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Appsync
take_screenshot_option
true
take_screenshot_time
55
take_screenshot_title
mail;webmail;crypto;btc;ethereum;bitcoin;eth;outlook;foxmail;bank;email;compose;

Extracted

Family

agenttesla

https://api.telegram.org/bot5169304639:AAEuGpfCL-hv_A-RdB_r9uRMHt_yvJZb2Z8/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Msacos\\Msacs.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Msacos\\Msags.exe,"	reg.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/880-98-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral1/memory/880-109-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/2032-97-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2032-99-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 5 IoCs

resource	yara_rule
behavioral1/memory/1320-96-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2032-97-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/880-98-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/2032-99-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/880-109-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft

Executes dropped EXE 3 IoCs

pid	Process
1124	Msacs.exe
1012	dwn.exe
2008	Msags.exe

Loads dropped DLL 3 IoCs

pid	Process
428	cmd.exe
960	AddInProcess32.exe
1696	cmd.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	AddInProcess32.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	api.ipify.org
23	api.ipify.org

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1124 set thread context of 960	1124	Msacs.exe	37
PID 960 set thread context of 2032	960	AddInProcess32.exe	40
PID 960 set thread context of 880	960	AddInProcess32.exe	41
PID 960 set thread context of 1320	960	AddInProcess32.exe	42
PID 2008 set thread context of 1632	2008	Msags.exe	54

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
1636	PING.EXE
1048	PING.EXE
1844	PING.EXE
1492	PING.EXE
1532	PING.EXE
1948	PING.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1932	Scan20221216192254.exe
1932	Scan20221216192254.exe
1932	Scan20221216192254.exe
1124	Msacs.exe
1124	Msacs.exe
2032	AddInProcess32.exe
2032	AddInProcess32.exe
1012	dwn.exe
1012	dwn.exe
1012	dwn.exe
2008	Msags.exe
2008	Msags.exe
2008	Msags.exe
2008	Msags.exe
1632	InstallUtil.exe
1632	InstallUtil.exe
1632	InstallUtil.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
960	AddInProcess32.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
960	AddInProcess32.exe
960	AddInProcess32.exe
960	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	Scan20221216192254.exe
Token: SeDebugPrivilege	1124	Msacs.exe
Token: SeDebugPrivilege	1320	AddInProcess32.exe
Token: SeDebugPrivilege	1012	dwn.exe
Token: SeDebugPrivilege	2008	Msags.exe
Token: SeDebugPrivilege	1632	InstallUtil.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
960	AddInProcess32.exe
1632	InstallUtil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1892	1932	Scan20221216192254.exe	28
PID 1932 wrote to memory of 1892	1932	Scan20221216192254.exe	28
PID 1932 wrote to memory of 1892	1932	Scan20221216192254.exe	28
PID 1932 wrote to memory of 1892	1932	Scan20221216192254.exe	28
PID 1892 wrote to memory of 1048	1892	cmd.exe	30
PID 1892 wrote to memory of 1048	1892	cmd.exe	30
PID 1892 wrote to memory of 1048	1892	cmd.exe	30
PID 1892 wrote to memory of 1048	1892	cmd.exe	30
PID 1932 wrote to memory of 428	1932	Scan20221216192254.exe	31
PID 1932 wrote to memory of 428	1932	Scan20221216192254.exe	31
PID 1932 wrote to memory of 428	1932	Scan20221216192254.exe	31
PID 1932 wrote to memory of 428	1932	Scan20221216192254.exe	31
PID 428 wrote to memory of 1844	428	cmd.exe	33
PID 428 wrote to memory of 1844	428	cmd.exe	33
PID 428 wrote to memory of 1844	428	cmd.exe	33
PID 428 wrote to memory of 1844	428	cmd.exe	33
PID 1892 wrote to memory of 528	1892	cmd.exe	34
PID 1892 wrote to memory of 528	1892	cmd.exe	34
PID 1892 wrote to memory of 528	1892	cmd.exe	34
PID 1892 wrote to memory of 528	1892	cmd.exe	34
PID 428 wrote to memory of 1492	428	cmd.exe	35
PID 428 wrote to memory of 1492	428	cmd.exe	35
PID 428 wrote to memory of 1492	428	cmd.exe	35
PID 428 wrote to memory of 1492	428	cmd.exe	35
PID 428 wrote to memory of 1124	428	cmd.exe	36
PID 428 wrote to memory of 1124	428	cmd.exe	36
PID 428 wrote to memory of 1124	428	cmd.exe	36
PID 428 wrote to memory of 1124	428	cmd.exe	36
PID 1124 wrote to memory of 960	1124	Msacs.exe	37
PID 1124 wrote to memory of 960	1124	Msacs.exe	37
PID 1124 wrote to memory of 960	1124	Msacs.exe	37
PID 1124 wrote to memory of 960	1124	Msacs.exe	37
PID 1124 wrote to memory of 960	1124	Msacs.exe	37
PID 1124 wrote to memory of 960	1124	Msacs.exe	37
PID 1124 wrote to memory of 960	1124	Msacs.exe	37
PID 1124 wrote to memory of 960	1124	Msacs.exe	37
PID 1124 wrote to memory of 960	1124	Msacs.exe	37
PID 1124 wrote to memory of 960	1124	Msacs.exe	37
PID 1124 wrote to memory of 960	1124	Msacs.exe	37
PID 1124 wrote to memory of 960	1124	Msacs.exe	37
PID 1124 wrote to memory of 960	1124	Msacs.exe	37
PID 960 wrote to memory of 2032	960	AddInProcess32.exe	40
PID 960 wrote to memory of 2032	960	AddInProcess32.exe	40
PID 960 wrote to memory of 2032	960	AddInProcess32.exe	40
PID 960 wrote to memory of 2032	960	AddInProcess32.exe	40
PID 960 wrote to memory of 2032	960	AddInProcess32.exe	40
PID 960 wrote to memory of 880	960	AddInProcess32.exe	41
PID 960 wrote to memory of 880	960	AddInProcess32.exe	41
PID 960 wrote to memory of 880	960	AddInProcess32.exe	41
PID 960 wrote to memory of 880	960	AddInProcess32.exe	41
PID 960 wrote to memory of 880	960	AddInProcess32.exe	41
PID 960 wrote to memory of 1320	960	AddInProcess32.exe	42
PID 960 wrote to memory of 1320	960	AddInProcess32.exe	42
PID 960 wrote to memory of 1320	960	AddInProcess32.exe	42
PID 960 wrote to memory of 1320	960	AddInProcess32.exe	42
PID 960 wrote to memory of 1320	960	AddInProcess32.exe	42
PID 960 wrote to memory of 1012	960	AddInProcess32.exe	43
PID 960 wrote to memory of 1012	960	AddInProcess32.exe	43
PID 960 wrote to memory of 1012	960	AddInProcess32.exe	43
PID 960 wrote to memory of 1012	960	AddInProcess32.exe	43
PID 1012 wrote to memory of 1716	1012	dwn.exe	44
PID 1012 wrote to memory of 1716	1012	dwn.exe	44
PID 1012 wrote to memory of 1716	1012	dwn.exe	44
PID 1012 wrote to memory of 1716	1012	dwn.exe	44

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\Scan20221216192254.exe
"C:\Users\Admin\AppData\Local\Temp\Scan20221216192254.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Msacos\Msacs.exe,"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 37
    3⤵
    - Runs ping.exe
    PID:1048
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Msacos\Msacs.exe,"
    3⤵
    - Modifies WinLogon for persistence
    PID:528
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 40 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Scan20221216192254.exe" "C:\Users\Admin\AppData\Roaming\Msacos\Msacs.exe" && ping 127.0.0.1 -n 40 > nul && "C:\Users\Admin\AppData\Roaming\Msacos\Msacs.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 40
    3⤵
    - Runs ping.exe
    PID:1844
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 40
    3⤵
    - Runs ping.exe
    PID:1492
- - C:\Users\Admin\AppData\Roaming\Msacos\Msacs.exe
    "C:\Users\Admin\AppData\Roaming\Msacos\Msacs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1124
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:960
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\kfgcfekbu"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2032
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\vilvgxvdiumz"
        5⤵
        Accesses Microsoft Outlook accounts
        
        PID:880
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\fcyogpfwwcfmryys"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
    - - C:\Users\Admin\AppData\Local\Temp\dwn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dwn.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1012
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Msacos\Msags.exe,"
        6⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 37
        7⤵
        Runs ping.exe
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Msacos\Msags.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2036
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 41 > nul && copy "C:\Users\Admin\AppData\Local\Temp\dwn.exe" "C:\Users\Admin\AppData\Roaming\Msacos\Msags.exe" && ping 127.0.0.1 -n 41 > nul && "C:\Users\Admin\AppData\Roaming\Msacos\Msags.exe"
        6⤵
        Loads dropped DLL
        
        PID:1696
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 41
        7⤵
        Runs ping.exe
        
        PID:1948
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 41
        7⤵
        Runs ping.exe
        
        PID:1636
        
        C:\Users\Admin\AppData\Roaming\Msacos\Msags.exe
        
        "C:\Users\Admin\AppData\Roaming\Msacos\Msags.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        8⤵
        
        PID:880
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        8⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        outlook_office_path
        outlook_win_path
        
        PID:1632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dwn.exe

Filesize
990KB

MD5
5e712dd91a14698f67f5a270946fcbc6

SHA1
73d3a0b458b11d3731ef233ba921e72b190c79bf

SHA256
b5d9850b6c0d0f7db3122327226776f9b499fa873d9387db00c605d7e9379ef9

SHA512
c29de6114ef02e21be983ccaef0842f9a0b32b44480173cca4a74445fcf64a086f3922ab90a329b7561177bbc17e020fd0f878567810be4702c1f867c303d9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwn.exe

Filesize
990KB

MD5
5e712dd91a14698f67f5a270946fcbc6

SHA1
73d3a0b458b11d3731ef233ba921e72b190c79bf

SHA256
b5d9850b6c0d0f7db3122327226776f9b499fa873d9387db00c605d7e9379ef9

SHA512
c29de6114ef02e21be983ccaef0842f9a0b32b44480173cca4a74445fcf64a086f3922ab90a329b7561177bbc17e020fd0f878567810be4702c1f867c303d9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\kfgcfekbu

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Msacos\Msacs.exe

Filesize
1.4MB

MD5
876f5f878fc3f716cd877443ee68f7e3

SHA1
35a223eadf77e713de0f6a7951fdb32ec5a48973

SHA256
dfa31b84bc2fc462da90b7f1a13c30ef92965ceeb06db45879a5443ea0d99920

SHA512
3bc2f3a97613d054261086d0c1e83dab9237717142ac7d3ffe91ca5e918f73f0cf57b53e86aa1b4170c5bc4794c661fd079217d9e8150f7a942dde4e43dc6e83

Download Submit
C:\Users\Admin\AppData\Roaming\Msacos\Msacs.exe

Filesize
1.4MB

MD5
876f5f878fc3f716cd877443ee68f7e3

SHA1
35a223eadf77e713de0f6a7951fdb32ec5a48973

SHA256
dfa31b84bc2fc462da90b7f1a13c30ef92965ceeb06db45879a5443ea0d99920

SHA512
3bc2f3a97613d054261086d0c1e83dab9237717142ac7d3ffe91ca5e918f73f0cf57b53e86aa1b4170c5bc4794c661fd079217d9e8150f7a942dde4e43dc6e83

Download Submit
C:\Users\Admin\AppData\Roaming\Msacos\Msags.exe

Filesize
990KB

MD5
5e712dd91a14698f67f5a270946fcbc6

SHA1
73d3a0b458b11d3731ef233ba921e72b190c79bf

SHA256
b5d9850b6c0d0f7db3122327226776f9b499fa873d9387db00c605d7e9379ef9

SHA512
c29de6114ef02e21be983ccaef0842f9a0b32b44480173cca4a74445fcf64a086f3922ab90a329b7561177bbc17e020fd0f878567810be4702c1f867c303d9da

Download Submit
C:\Users\Admin\AppData\Roaming\Msacos\Msags.exe

Filesize
990KB

MD5
5e712dd91a14698f67f5a270946fcbc6

SHA1
73d3a0b458b11d3731ef233ba921e72b190c79bf

SHA256
b5d9850b6c0d0f7db3122327226776f9b499fa873d9387db00c605d7e9379ef9

SHA512
c29de6114ef02e21be983ccaef0842f9a0b32b44480173cca4a74445fcf64a086f3922ab90a329b7561177bbc17e020fd0f878567810be4702c1f867c303d9da

Download Submit
\Users\Admin\AppData\Local\Temp\dwn.exe

Filesize
990KB

MD5
5e712dd91a14698f67f5a270946fcbc6

SHA1
73d3a0b458b11d3731ef233ba921e72b190c79bf

SHA256
b5d9850b6c0d0f7db3122327226776f9b499fa873d9387db00c605d7e9379ef9

SHA512
c29de6114ef02e21be983ccaef0842f9a0b32b44480173cca4a74445fcf64a086f3922ab90a329b7561177bbc17e020fd0f878567810be4702c1f867c303d9da

Download Submit
\Users\Admin\AppData\Roaming\Msacos\Msacs.exe

Filesize
1.4MB

MD5
876f5f878fc3f716cd877443ee68f7e3

SHA1
35a223eadf77e713de0f6a7951fdb32ec5a48973

SHA256
dfa31b84bc2fc462da90b7f1a13c30ef92965ceeb06db45879a5443ea0d99920

SHA512
3bc2f3a97613d054261086d0c1e83dab9237717142ac7d3ffe91ca5e918f73f0cf57b53e86aa1b4170c5bc4794c661fd079217d9e8150f7a942dde4e43dc6e83

Download Submit
\Users\Admin\AppData\Roaming\Msacos\Msags.exe

Filesize
990KB

MD5
5e712dd91a14698f67f5a270946fcbc6

SHA1
73d3a0b458b11d3731ef233ba921e72b190c79bf

SHA256
b5d9850b6c0d0f7db3122327226776f9b499fa873d9387db00c605d7e9379ef9

SHA512
c29de6114ef02e21be983ccaef0842f9a0b32b44480173cca4a74445fcf64a086f3922ab90a329b7561177bbc17e020fd0f878567810be4702c1f867c303d9da

Download Submit
memory/880-98-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/880-121-0x00000000000F0000-0x000000000012C000-memory.dmp

Filesize
240KB

Download
memory/880-122-0x00000000000F0000-0x000000000012C000-memory.dmp

Filesize
240KB

Download
memory/880-109-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/880-125-0x00000000000F0000-0x000000000012C000-memory.dmp

Filesize
240KB

Download
memory/880-124-0x00000000000F0000-0x000000000012C000-memory.dmp

Filesize
240KB

Download
memory/960-82-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/960-78-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/960-79-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/960-80-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/960-75-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/960-84-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/960-77-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/960-88-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/960-89-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/960-73-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/960-72-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/960-110-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1012-105-0x0000000001370000-0x000000000146E000-memory.dmp

Filesize
1016KB

Download
memory/1124-70-0x00000000009C0000-0x00000000009DA000-memory.dmp

Filesize
104KB

Download
memory/1124-71-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/1124-68-0x0000000001100000-0x0000000001260000-memory.dmp

Filesize
1.4MB

Download
memory/1320-96-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1632-136-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1632-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1632-131-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1932-56-0x00000000006F0000-0x0000000000720000-memory.dmp

Filesize
192KB

Download
memory/1932-54-0x0000000000040000-0x00000000001A0000-memory.dmp

Filesize
1.4MB

Download
memory/1932-55-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download
memory/1932-57-0x0000000004400000-0x0000000004418000-memory.dmp

Filesize
96KB

Download
memory/2008-119-0x0000000000F30000-0x000000000102E000-memory.dmp

Filesize
1016KB

Download
memory/2032-99-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2032-97-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download