agenttesla | dfa31b84bc2fc462da90b7f1a13c30ef92965ceeb06db45879a5443ea0d99920

Resubmissions

16/12/2022, 08:37

221216-kjcrwaed77 10

16/12/2022, 08:22

221216-j92cgshb8y 10

Analysis

max time kernel
628s
max time network
628s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
16/12/2022, 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Scan20221216192254.exe
Size

1.4MB
MD5

876f5f878fc3f716cd877443ee68f7e3
SHA1

35a223eadf77e713de0f6a7951fdb32ec5a48973
SHA256

dfa31b84bc2fc462da90b7f1a13c30ef92965ceeb06db45879a5443ea0d99920
SHA512

3bc2f3a97613d054261086d0c1e83dab9237717142ac7d3ffe91ca5e918f73f0cf57b53e86aa1b4170c5bc4794c661fd079217d9e8150f7a942dde4e43dc6e83
SSDEEP

12288:OixF+mYOpvTDg1Hoz+JE2QsO4BeylBqN6hFfX05M1pDUQDoC+v5c+JQZ24146/PQ:rCEHsOzj4j85M1hUQDAxzJX4vgkW

Score

10^/10

agenttesla remcos thirdclients collection keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

remcos

Botnet

ThirdClients

79.134.225.97:1558

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
appsync.exe
copy_folder
Appsync
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Appsync
keylog_path
%AppData%
mouse_option
false
mutex
Appsync-00ARH2
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Appsync
take_screenshot_option
true
take_screenshot_time
55
take_screenshot_title
mail;webmail;crypto;btc;ethereum;bitcoin;eth;outlook;foxmail;bank;email;compose;

Extracted

Family

agenttesla

https://api.telegram.org/bot5169304639:AAEuGpfCL-hv_A-RdB_r9uRMHt_yvJZb2Z8/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Msacos\\Msacs.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Msacos\\Msags.exe,"	reg.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/3628-157-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/2236-159-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 3 IoCs

resource	yara_rule
behavioral2/memory/3628-157-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/2052-158-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2236-159-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Executes dropped EXE 3 IoCs

pid	Process
1640	Msacs.exe
3536	dwn.exe
4616	Msags.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	AddInProcess32.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
111	api.ipify.org
112	api.ipify.org

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1640 set thread context of 3552	1640	Msacs.exe	100
PID 3552 set thread context of 2236	3552	AddInProcess32.exe	102
PID 3552 set thread context of 3628	3552	AddInProcess32.exe	105
PID 3552 set thread context of 2052	3552	AddInProcess32.exe	104
PID 4616 set thread context of 2828	4616	Msags.exe	118

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
5112	PING.EXE
4228	PING.EXE
2248	PING.EXE
4472	PING.EXE
1080	PING.EXE
4952	PING.EXE

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
4156	Scan20221216192254.exe
4156	Scan20221216192254.exe
4156	Scan20221216192254.exe
4156	Scan20221216192254.exe
4156	Scan20221216192254.exe
4156	Scan20221216192254.exe
4156	Scan20221216192254.exe
4156	Scan20221216192254.exe
4156	Scan20221216192254.exe
4156	Scan20221216192254.exe
4156	Scan20221216192254.exe
4156	Scan20221216192254.exe
4156	Scan20221216192254.exe
4156	Scan20221216192254.exe
4156	Scan20221216192254.exe
4156	Scan20221216192254.exe
4156	Scan20221216192254.exe
4156	Scan20221216192254.exe
4156	Scan20221216192254.exe
4156	Scan20221216192254.exe
4156	Scan20221216192254.exe
4156	Scan20221216192254.exe
4156	Scan20221216192254.exe
1640	Msacs.exe
1640	Msacs.exe
2236	AddInProcess32.exe
2236	AddInProcess32.exe
2052	AddInProcess32.exe
2052	AddInProcess32.exe
2236	AddInProcess32.exe
2236	AddInProcess32.exe
3536	dwn.exe
3536	dwn.exe
3536	dwn.exe
3536	dwn.exe
3536	dwn.exe
3536	dwn.exe
3536	dwn.exe
3536	dwn.exe
3536	dwn.exe
3536	dwn.exe
3536	dwn.exe
3536	dwn.exe
3536	dwn.exe
3536	dwn.exe
3536	dwn.exe
3536	dwn.exe
3536	dwn.exe
3536	dwn.exe
3536	dwn.exe
3536	dwn.exe
3536	dwn.exe
4616	Msags.exe
4616	Msags.exe
2828	InstallUtil.exe
2828	InstallUtil.exe
2828	InstallUtil.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3552	AddInProcess32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
3552	AddInProcess32.exe
3552	AddInProcess32.exe
3552	AddInProcess32.exe
3552	AddInProcess32.exe
3552	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4156	Scan20221216192254.exe
Token: SeDebugPrivilege	1640	Msacs.exe
Token: SeDebugPrivilege	2052	AddInProcess32.exe
Token: SeDebugPrivilege	3536	dwn.exe
Token: SeDebugPrivilege	4616	Msags.exe
Token: SeDebugPrivilege	2828	InstallUtil.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3552	AddInProcess32.exe
2828	InstallUtil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4156 wrote to memory of 3708	4156	Scan20221216192254.exe	83
PID 4156 wrote to memory of 3708	4156	Scan20221216192254.exe	83
PID 4156 wrote to memory of 3708	4156	Scan20221216192254.exe	83
PID 3708 wrote to memory of 5112	3708	cmd.exe	85
PID 3708 wrote to memory of 5112	3708	cmd.exe	85
PID 3708 wrote to memory of 5112	3708	cmd.exe	85
PID 4156 wrote to memory of 2780	4156	Scan20221216192254.exe	94
PID 4156 wrote to memory of 2780	4156	Scan20221216192254.exe	94
PID 4156 wrote to memory of 2780	4156	Scan20221216192254.exe	94
PID 2780 wrote to memory of 4228	2780	cmd.exe	96
PID 2780 wrote to memory of 4228	2780	cmd.exe	96
PID 2780 wrote to memory of 4228	2780	cmd.exe	96
PID 3708 wrote to memory of 3512	3708	cmd.exe	97
PID 3708 wrote to memory of 3512	3708	cmd.exe	97
PID 3708 wrote to memory of 3512	3708	cmd.exe	97
PID 2780 wrote to memory of 2248	2780	cmd.exe	98
PID 2780 wrote to memory of 2248	2780	cmd.exe	98
PID 2780 wrote to memory of 2248	2780	cmd.exe	98
PID 2780 wrote to memory of 1640	2780	cmd.exe	99
PID 2780 wrote to memory of 1640	2780	cmd.exe	99
PID 2780 wrote to memory of 1640	2780	cmd.exe	99
PID 1640 wrote to memory of 3552	1640	Msacs.exe	100
PID 1640 wrote to memory of 3552	1640	Msacs.exe	100
PID 1640 wrote to memory of 3552	1640	Msacs.exe	100
PID 1640 wrote to memory of 3552	1640	Msacs.exe	100
PID 1640 wrote to memory of 3552	1640	Msacs.exe	100
PID 1640 wrote to memory of 3552	1640	Msacs.exe	100
PID 1640 wrote to memory of 3552	1640	Msacs.exe	100
PID 1640 wrote to memory of 3552	1640	Msacs.exe	100
PID 1640 wrote to memory of 3552	1640	Msacs.exe	100
PID 1640 wrote to memory of 3552	1640	Msacs.exe	100
PID 1640 wrote to memory of 3552	1640	Msacs.exe	100
PID 1640 wrote to memory of 3552	1640	Msacs.exe	100
PID 3552 wrote to memory of 2092	3552	AddInProcess32.exe	101
PID 3552 wrote to memory of 2092	3552	AddInProcess32.exe	101
PID 3552 wrote to memory of 2092	3552	AddInProcess32.exe	101
PID 3552 wrote to memory of 2236	3552	AddInProcess32.exe	102
PID 3552 wrote to memory of 2236	3552	AddInProcess32.exe	102
PID 3552 wrote to memory of 2236	3552	AddInProcess32.exe	102
PID 3552 wrote to memory of 2236	3552	AddInProcess32.exe	102
PID 3552 wrote to memory of 4756	3552	AddInProcess32.exe	103
PID 3552 wrote to memory of 4756	3552	AddInProcess32.exe	103
PID 3552 wrote to memory of 4756	3552	AddInProcess32.exe	103
PID 3552 wrote to memory of 3628	3552	AddInProcess32.exe	105
PID 3552 wrote to memory of 3628	3552	AddInProcess32.exe	105
PID 3552 wrote to memory of 3628	3552	AddInProcess32.exe	105
PID 3552 wrote to memory of 3628	3552	AddInProcess32.exe	105
PID 3552 wrote to memory of 2052	3552	AddInProcess32.exe	104
PID 3552 wrote to memory of 2052	3552	AddInProcess32.exe	104
PID 3552 wrote to memory of 2052	3552	AddInProcess32.exe	104
PID 3552 wrote to memory of 2052	3552	AddInProcess32.exe	104
PID 3552 wrote to memory of 3536	3552	AddInProcess32.exe	106
PID 3552 wrote to memory of 3536	3552	AddInProcess32.exe	106
PID 3552 wrote to memory of 3536	3552	AddInProcess32.exe	106
PID 3536 wrote to memory of 5096	3536	dwn.exe	107
PID 3536 wrote to memory of 5096	3536	dwn.exe	107
PID 3536 wrote to memory of 5096	3536	dwn.exe	107
PID 5096 wrote to memory of 4472	5096	cmd.exe	109
PID 5096 wrote to memory of 4472	5096	cmd.exe	109
PID 5096 wrote to memory of 4472	5096	cmd.exe	109
PID 3536 wrote to memory of 1496	3536	dwn.exe	110
PID 3536 wrote to memory of 1496	3536	dwn.exe	110
PID 3536 wrote to memory of 1496	3536	dwn.exe	110
PID 1496 wrote to memory of 1080	1496	cmd.exe	112

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\Scan20221216192254.exe
"C:\Users\Admin\AppData\Local\Temp\Scan20221216192254.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Msacos\Msacs.exe,"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 36
    3⤵
    - Runs ping.exe
    PID:5112
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Msacos\Msacs.exe,"
    3⤵
    - Modifies WinLogon for persistence
    PID:3512
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 39 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Scan20221216192254.exe" "C:\Users\Admin\AppData\Roaming\Msacos\Msacs.exe" && ping 127.0.0.1 -n 39 > nul && "C:\Users\Admin\AppData\Roaming\Msacos\Msacs.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 39
    3⤵
    - Runs ping.exe
    PID:4228
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 39
    3⤵
    - Runs ping.exe
    PID:2248
- - C:\Users\Admin\AppData\Roaming\Msacos\Msacs.exe
    "C:\Users\Admin\AppData\Roaming\Msacos\Msacs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3552
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\kldff"
        5⤵
        
        PID:2092
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\kldff"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2236
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\nfiygjtsh"
        5⤵
        
        PID:4756
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\xhnihbmuvpzc"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\nfiygjtsh"
        5⤵
        Accesses Microsoft Outlook accounts
        
        PID:3628
    - - C:\Users\Admin\AppData\Local\Temp\dwn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dwn.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3536
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Msacos\Msags.exe,"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 39
        7⤵
        Runs ping.exe
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Msacos\Msags.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:4116
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 38 > nul && copy "C:\Users\Admin\AppData\Local\Temp\dwn.exe" "C:\Users\Admin\AppData\Roaming\Msacos\Msags.exe" && ping 127.0.0.1 -n 38 > nul && "C:\Users\Admin\AppData\Roaming\Msacos\Msags.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 38
        7⤵
        Runs ping.exe
        
        PID:1080
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 38
        7⤵
        Runs ping.exe
        
        PID:4952
        
        C:\Users\Admin\AppData\Roaming\Msacos\Msags.exe
        
        "C:\Users\Admin\AppData\Roaming\Msacos\Msags.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4616
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        8⤵
        Accesses Microsoft Outlook profiles
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        outlook_office_path
        outlook_win_path
        
        PID:2828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dwn.exe

Filesize
990KB

MD5
5e712dd91a14698f67f5a270946fcbc6

SHA1
73d3a0b458b11d3731ef233ba921e72b190c79bf

SHA256
b5d9850b6c0d0f7db3122327226776f9b499fa873d9387db00c605d7e9379ef9

SHA512
c29de6114ef02e21be983ccaef0842f9a0b32b44480173cca4a74445fcf64a086f3922ab90a329b7561177bbc17e020fd0f878567810be4702c1f867c303d9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwn.exe

Filesize
990KB

MD5
5e712dd91a14698f67f5a270946fcbc6

SHA1
73d3a0b458b11d3731ef233ba921e72b190c79bf

SHA256
b5d9850b6c0d0f7db3122327226776f9b499fa873d9387db00c605d7e9379ef9

SHA512
c29de6114ef02e21be983ccaef0842f9a0b32b44480173cca4a74445fcf64a086f3922ab90a329b7561177bbc17e020fd0f878567810be4702c1f867c303d9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\kldff

Filesize
4KB

MD5
07c14121728256ad56b1ef039a28e4a6

SHA1
0f39e1e02cd5e2b1b22d9e5470757ae13fe96738

SHA256
8d46702077d776b04085cbe5ce2f0e5971595ea4e11b025a215c4379e7fc18f8

SHA512
03d9113095e7b6143c4f99b131462fa451a9c2d7e841461603dace64bd6d525cb63d074384d2b3ff285a7183116f1715138beeb756fced9a6b1ad6fde36d4789

Download Submit
C:\Users\Admin\AppData\Roaming\Msacos\Msacs.exe

Filesize
1.4MB

MD5
876f5f878fc3f716cd877443ee68f7e3

SHA1
35a223eadf77e713de0f6a7951fdb32ec5a48973

SHA256
dfa31b84bc2fc462da90b7f1a13c30ef92965ceeb06db45879a5443ea0d99920

SHA512
3bc2f3a97613d054261086d0c1e83dab9237717142ac7d3ffe91ca5e918f73f0cf57b53e86aa1b4170c5bc4794c661fd079217d9e8150f7a942dde4e43dc6e83

Download Submit
C:\Users\Admin\AppData\Roaming\Msacos\Msacs.exe

Filesize
1.4MB

MD5
876f5f878fc3f716cd877443ee68f7e3

SHA1
35a223eadf77e713de0f6a7951fdb32ec5a48973

SHA256
dfa31b84bc2fc462da90b7f1a13c30ef92965ceeb06db45879a5443ea0d99920

SHA512
3bc2f3a97613d054261086d0c1e83dab9237717142ac7d3ffe91ca5e918f73f0cf57b53e86aa1b4170c5bc4794c661fd079217d9e8150f7a942dde4e43dc6e83

Download Submit
C:\Users\Admin\AppData\Roaming\Msacos\Msags.exe

Filesize
990KB

MD5
5e712dd91a14698f67f5a270946fcbc6

SHA1
73d3a0b458b11d3731ef233ba921e72b190c79bf

SHA256
b5d9850b6c0d0f7db3122327226776f9b499fa873d9387db00c605d7e9379ef9

SHA512
c29de6114ef02e21be983ccaef0842f9a0b32b44480173cca4a74445fcf64a086f3922ab90a329b7561177bbc17e020fd0f878567810be4702c1f867c303d9da

Download Submit
C:\Users\Admin\AppData\Roaming\Msacos\Msags.exe

Filesize
990KB

MD5
5e712dd91a14698f67f5a270946fcbc6

SHA1
73d3a0b458b11d3731ef233ba921e72b190c79bf

SHA256
b5d9850b6c0d0f7db3122327226776f9b499fa873d9387db00c605d7e9379ef9

SHA512
c29de6114ef02e21be983ccaef0842f9a0b32b44480173cca4a74445fcf64a086f3922ab90a329b7561177bbc17e020fd0f878567810be4702c1f867c303d9da

Download Submit
memory/1640-146-0x0000000000940000-0x0000000000AA0000-memory.dmp

Filesize
1.4MB

Download
memory/2052-158-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2236-159-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2828-177-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2828-178-0x0000000005430000-0x0000000005496000-memory.dmp

Filesize
408KB

Download
memory/2828-179-0x00000000066B0000-0x0000000006700000-memory.dmp

Filesize
320KB

Download
memory/3536-163-0x00000000003A0000-0x000000000049E000-memory.dmp

Filesize
1016KB

Download
memory/3552-150-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3552-167-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3552-148-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3552-151-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3552-149-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3628-157-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4156-132-0x0000000000B70000-0x0000000000CD0000-memory.dmp

Filesize
1.4MB

Download
memory/4156-135-0x0000000005000000-0x000000000509C000-memory.dmp

Filesize
624KB

Download
memory/4156-134-0x0000000004EA0000-0x0000000004F32000-memory.dmp

Filesize
584KB

Download
memory/4156-133-0x0000000005510000-0x0000000005AB4000-memory.dmp

Filesize
5.6MB

Download
memory/4156-136-0x000000000BA20000-0x000000000BA2A000-memory.dmp

Filesize
40KB

Download
memory/4616-175-0x0000000000FD0000-0x00000000010CE000-memory.dmp

Filesize
1016KB

Download