snakekeylogger | bdec6f0bf7b4d3d3b78b6173b6c9fd053d80b86c43db8a9f2e7add084e4ecdc9

Resubmissions

04/04/2023, 19:01

230404-xn7h9shd67 10

04/04/2023, 17:14

230404-vsdewagh32 10

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
04/04/2023, 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qbOdWSNNuqquo2E.exe
Size

2.0MB
MD5

40c32c129e09d3eb618e27eb168aaadf
SHA1

6a35a5fa5a53ceba217c66562477e954aec8eb2b
SHA256

e09eaaa707261756f322c8d5b12af0a09c575ffbdd7bf19b895cab4982b7f68a
SHA512

72ba764a542f0f61b0375a37e646d7bbdb78ca2b1aabedd33a42472e5a8099211311d699161ba51f03db6a46481556644542f991e7ef443eec2721d093b7da48
SSDEEP

49152:6nsHyjtk2MYC5GDDMZEf4F0fVGJ2LxsL9ve049:6nsmtk2a1igSA2F0DU

Score

10^/10

snakekeylogger collection keylogger persistence spyware stealer

Malware Config

Extracted

Family

snakekeylogger

https://api.telegram.org/bot6241220793:AAFx6XFOw5z4Op7twC8hAqYib_mTz67Z4Ak/sendMessage?chat_id=2054148913

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 11 IoCs

resource	yara_rule
behavioral1/memory/1164-154-0x0000000000400000-0x00000000004E2000-memory.dmp	family_snakekeylogger
behavioral1/memory/1164-156-0x0000000000400000-0x00000000004E2000-memory.dmp	family_snakekeylogger
behavioral1/memory/1164-157-0x0000000000400000-0x00000000004E2000-memory.dmp	family_snakekeylogger
behavioral1/memory/1164-159-0x0000000000400000-0x00000000004E2000-memory.dmp	family_snakekeylogger
behavioral1/files/0x00070000000139f0-165.dat	family_snakekeylogger
behavioral1/files/0x00070000000139f0-167.dat	family_snakekeylogger
behavioral1/memory/340-171-0x0000000000200000-0x0000000000226000-memory.dmp	family_snakekeylogger
behavioral1/memory/1164-170-0x0000000000400000-0x00000000004E2000-memory.dmp	family_snakekeylogger
behavioral1/files/0x00070000000139f0-169.dat	family_snakekeylogger
behavioral1/files/0x00070000000139f0-168.dat	family_snakekeylogger
behavioral1/memory/340-172-0x0000000000500000-0x0000000000540000-memory.dmp	family_snakekeylogger

Executes dropped EXE 6 IoCs

pid	Process
1564	._cache_qbOdWSNNuqquo2E.exe
588	Synaptics.exe
1492	._cache_Synaptics.exe
836	._cache_Synaptics.exe
1164	._cache_Synaptics.exe
340	._cache_._cache_Synaptics.exe

Loads dropped DLL 14 IoCs

pid	Process
760	qbOdWSNNuqquo2E.exe
760	qbOdWSNNuqquo2E.exe
760	qbOdWSNNuqquo2E.exe
588	Synaptics.exe
588	Synaptics.exe
764	WerFault.exe
764	WerFault.exe
764	WerFault.exe
764	WerFault.exe
764	WerFault.exe
1492	._cache_Synaptics.exe
1492	._cache_Synaptics.exe
1164	._cache_Synaptics.exe
1164	._cache_Synaptics.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	qbOdWSNNuqquo2E.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1492 set thread context of 1164	1492	._cache_Synaptics.exe	40

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
764	1564	WerFault.exe	28

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1812	schtasks.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
952	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1492	._cache_Synaptics.exe
1492	._cache_Synaptics.exe
1680	powershell.exe
340	._cache_._cache_Synaptics.exe
340	._cache_._cache_Synaptics.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1492	._cache_Synaptics.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	340	._cache_._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
952	EXCEL.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 760 wrote to memory of 1564	760	qbOdWSNNuqquo2E.exe	28
PID 760 wrote to memory of 1564	760	qbOdWSNNuqquo2E.exe	28
PID 760 wrote to memory of 1564	760	qbOdWSNNuqquo2E.exe	28
PID 760 wrote to memory of 1564	760	qbOdWSNNuqquo2E.exe	28
PID 760 wrote to memory of 588	760	qbOdWSNNuqquo2E.exe	29
PID 760 wrote to memory of 588	760	qbOdWSNNuqquo2E.exe	29
PID 760 wrote to memory of 588	760	qbOdWSNNuqquo2E.exe	29
PID 760 wrote to memory of 588	760	qbOdWSNNuqquo2E.exe	29
PID 588 wrote to memory of 1492	588	Synaptics.exe	30
PID 588 wrote to memory of 1492	588	Synaptics.exe	30
PID 588 wrote to memory of 1492	588	Synaptics.exe	30
PID 588 wrote to memory of 1492	588	Synaptics.exe	30
PID 1564 wrote to memory of 764	1564	._cache_qbOdWSNNuqquo2E.exe	34
PID 1564 wrote to memory of 764	1564	._cache_qbOdWSNNuqquo2E.exe	34
PID 1564 wrote to memory of 764	1564	._cache_qbOdWSNNuqquo2E.exe	34
PID 1564 wrote to memory of 764	1564	._cache_qbOdWSNNuqquo2E.exe	34
PID 1492 wrote to memory of 1680	1492	._cache_Synaptics.exe	35
PID 1492 wrote to memory of 1680	1492	._cache_Synaptics.exe	35
PID 1492 wrote to memory of 1680	1492	._cache_Synaptics.exe	35
PID 1492 wrote to memory of 1680	1492	._cache_Synaptics.exe	35
PID 1492 wrote to memory of 1812	1492	._cache_Synaptics.exe	37
PID 1492 wrote to memory of 1812	1492	._cache_Synaptics.exe	37
PID 1492 wrote to memory of 1812	1492	._cache_Synaptics.exe	37
PID 1492 wrote to memory of 1812	1492	._cache_Synaptics.exe	37
PID 1492 wrote to memory of 836	1492	._cache_Synaptics.exe	39
PID 1492 wrote to memory of 836	1492	._cache_Synaptics.exe	39
PID 1492 wrote to memory of 836	1492	._cache_Synaptics.exe	39
PID 1492 wrote to memory of 836	1492	._cache_Synaptics.exe	39
PID 1492 wrote to memory of 1164	1492	._cache_Synaptics.exe	40
PID 1492 wrote to memory of 1164	1492	._cache_Synaptics.exe	40
PID 1492 wrote to memory of 1164	1492	._cache_Synaptics.exe	40
PID 1492 wrote to memory of 1164	1492	._cache_Synaptics.exe	40
PID 1492 wrote to memory of 1164	1492	._cache_Synaptics.exe	40
PID 1492 wrote to memory of 1164	1492	._cache_Synaptics.exe	40
PID 1492 wrote to memory of 1164	1492	._cache_Synaptics.exe	40
PID 1492 wrote to memory of 1164	1492	._cache_Synaptics.exe	40
PID 1492 wrote to memory of 1164	1492	._cache_Synaptics.exe	40
PID 1492 wrote to memory of 1164	1492	._cache_Synaptics.exe	40
PID 1492 wrote to memory of 1164	1492	._cache_Synaptics.exe	40
PID 1492 wrote to memory of 1164	1492	._cache_Synaptics.exe	40
PID 1164 wrote to memory of 340	1164	._cache_Synaptics.exe	41
PID 1164 wrote to memory of 340	1164	._cache_Synaptics.exe	41
PID 1164 wrote to memory of 340	1164	._cache_Synaptics.exe	41
PID 1164 wrote to memory of 340	1164	._cache_Synaptics.exe	41

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_._cache_Synaptics.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\qbOdWSNNuqquo2E.exe
"C:\Users\Admin\AppData\Local\Temp\qbOdWSNNuqquo2E.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:760
- C:\Users\Admin\AppData\Local\Temp\._cache_qbOdWSNNuqquo2E.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_qbOdWSNNuqquo2E.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 720
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:764
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:588
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bRBgyCtm.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1680
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bRBgyCtm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE3EA.tmp"
      4⤵
      Creates scheduled task(s)
      PID:1812
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
      4⤵
      Executes dropped EXE
      PID:836
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1164
    - - C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe"
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:340

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
2.0MB

MD5
40c32c129e09d3eb618e27eb168aaadf

SHA1
6a35a5fa5a53ceba217c66562477e954aec8eb2b

SHA256
e09eaaa707261756f322c8d5b12af0a09c575ffbdd7bf19b895cab4982b7f68a

SHA512
72ba764a542f0f61b0375a37e646d7bbdb78ca2b1aabedd33a42472e5a8099211311d699161ba51f03db6a46481556644542f991e7ef443eec2721d093b7da48

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
2.0MB

MD5
40c32c129e09d3eb618e27eb168aaadf

SHA1
6a35a5fa5a53ceba217c66562477e954aec8eb2b

SHA256
e09eaaa707261756f322c8d5b12af0a09c575ffbdd7bf19b895cab4982b7f68a

SHA512
72ba764a542f0f61b0375a37e646d7bbdb78ca2b1aabedd33a42472e5a8099211311d699161ba51f03db6a46481556644542f991e7ef443eec2721d093b7da48

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
2.0MB

MD5
40c32c129e09d3eb618e27eb168aaadf

SHA1
6a35a5fa5a53ceba217c66562477e954aec8eb2b

SHA256
e09eaaa707261756f322c8d5b12af0a09c575ffbdd7bf19b895cab4982b7f68a

SHA512
72ba764a542f0f61b0375a37e646d7bbdb78ca2b1aabedd33a42472e5a8099211311d699161ba51f03db6a46481556644542f991e7ef443eec2721d093b7da48

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe

Filesize
127KB

MD5
2306789692c2e5e8ea14fe50fcb67f8a

SHA1
c8b5ebd3841889ece6b1fb8ee62d6b3aaf752912

SHA256
8fd9fe29be30f381199070f2c09d8213c0ac8be98836086052bb83fe53d7f6c3

SHA512
367d04fe143f81a78f78e997d32b97f8787a42f34da1026e99e990465243eb51dacd569e7ca298b40f7ba3e9e315249e23fcde60930af072ba5de10a568ded1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe

Filesize
127KB

MD5
2306789692c2e5e8ea14fe50fcb67f8a

SHA1
c8b5ebd3841889ece6b1fb8ee62d6b3aaf752912

SHA256
8fd9fe29be30f381199070f2c09d8213c0ac8be98836086052bb83fe53d7f6c3

SHA512
367d04fe143f81a78f78e997d32b97f8787a42f34da1026e99e990465243eb51dacd569e7ca298b40f7ba3e9e315249e23fcde60930af072ba5de10a568ded1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe

Filesize
127KB

MD5
2306789692c2e5e8ea14fe50fcb67f8a

SHA1
c8b5ebd3841889ece6b1fb8ee62d6b3aaf752912

SHA256
8fd9fe29be30f381199070f2c09d8213c0ac8be98836086052bb83fe53d7f6c3

SHA512
367d04fe143f81a78f78e997d32b97f8787a42f34da1026e99e990465243eb51dacd569e7ca298b40f7ba3e9e315249e23fcde60930af072ba5de10a568ded1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
1.3MB

MD5
8aeb2829342f8bb9acb171472da1d64e

SHA1
b04d798d1375c242273fd6a1d8553b9312663668

SHA256
9d0618a3a6027f47ebd85a126770e86f37e6e47b35f2175e7fde30acf1d73020

SHA512
2b3dfadd3dfc8ae36708774eecd78a183f60392742f8108c0e607f22e85e7046cf809e127a6cee36be3d0c81bb8b1cd553a46b960c9f41621cb1d5b0293b3db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
1.3MB

MD5
8aeb2829342f8bb9acb171472da1d64e

SHA1
b04d798d1375c242273fd6a1d8553b9312663668

SHA256
9d0618a3a6027f47ebd85a126770e86f37e6e47b35f2175e7fde30acf1d73020

SHA512
2b3dfadd3dfc8ae36708774eecd78a183f60392742f8108c0e607f22e85e7046cf809e127a6cee36be3d0c81bb8b1cd553a46b960c9f41621cb1d5b0293b3db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
1.3MB

MD5
8aeb2829342f8bb9acb171472da1d64e

SHA1
b04d798d1375c242273fd6a1d8553b9312663668

SHA256
9d0618a3a6027f47ebd85a126770e86f37e6e47b35f2175e7fde30acf1d73020

SHA512
2b3dfadd3dfc8ae36708774eecd78a183f60392742f8108c0e607f22e85e7046cf809e127a6cee36be3d0c81bb8b1cd553a46b960c9f41621cb1d5b0293b3db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
1.3MB

MD5
8aeb2829342f8bb9acb171472da1d64e

SHA1
b04d798d1375c242273fd6a1d8553b9312663668

SHA256
9d0618a3a6027f47ebd85a126770e86f37e6e47b35f2175e7fde30acf1d73020

SHA512
2b3dfadd3dfc8ae36708774eecd78a183f60392742f8108c0e607f22e85e7046cf809e127a6cee36be3d0c81bb8b1cd553a46b960c9f41621cb1d5b0293b3db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_qbOdWSNNuqquo2E.exe

Filesize
1.3MB

MD5
8aeb2829342f8bb9acb171472da1d64e

SHA1
b04d798d1375c242273fd6a1d8553b9312663668

SHA256
9d0618a3a6027f47ebd85a126770e86f37e6e47b35f2175e7fde30acf1d73020

SHA512
2b3dfadd3dfc8ae36708774eecd78a183f60392742f8108c0e607f22e85e7046cf809e127a6cee36be3d0c81bb8b1cd553a46b960c9f41621cb1d5b0293b3db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_qbOdWSNNuqquo2E.exe

Filesize
1.3MB

MD5
8aeb2829342f8bb9acb171472da1d64e

SHA1
b04d798d1375c242273fd6a1d8553b9312663668

SHA256
9d0618a3a6027f47ebd85a126770e86f37e6e47b35f2175e7fde30acf1d73020

SHA512
2b3dfadd3dfc8ae36708774eecd78a183f60392742f8108c0e607f22e85e7046cf809e127a6cee36be3d0c81bb8b1cd553a46b960c9f41621cb1d5b0293b3db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_qbOdWSNNuqquo2E.exe

Filesize
1.3MB

MD5
8aeb2829342f8bb9acb171472da1d64e

SHA1
b04d798d1375c242273fd6a1d8553b9312663668

SHA256
9d0618a3a6027f47ebd85a126770e86f37e6e47b35f2175e7fde30acf1d73020

SHA512
2b3dfadd3dfc8ae36708774eecd78a183f60392742f8108c0e607f22e85e7046cf809e127a6cee36be3d0c81bb8b1cd553a46b960c9f41621cb1d5b0293b3db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DeMJj6LO.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE3EA.tmp

Filesize
1KB

MD5
e3a9894f51a1e022698dd133816942c5

SHA1
76115f60337fa91f3eab77d4d3c5ebfa4f3bba02

SHA256
2548b866e4a264464d21aa210f2dc19442bf2000515ab06c00707972bd5b0af8

SHA512
fc6c672d5754c542b2dcd983219242b14f3278cfa18c5bbafa9768b069f65c017e830fb1f22ac16c1dfcae0e9e19e78e5e488bff59eda78c51af7d61145dd767

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
2.0MB

MD5
40c32c129e09d3eb618e27eb168aaadf

SHA1
6a35a5fa5a53ceba217c66562477e954aec8eb2b

SHA256
e09eaaa707261756f322c8d5b12af0a09c575ffbdd7bf19b895cab4982b7f68a

SHA512
72ba764a542f0f61b0375a37e646d7bbdb78ca2b1aabedd33a42472e5a8099211311d699161ba51f03db6a46481556644542f991e7ef443eec2721d093b7da48

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
2.0MB

MD5
40c32c129e09d3eb618e27eb168aaadf

SHA1
6a35a5fa5a53ceba217c66562477e954aec8eb2b

SHA256
e09eaaa707261756f322c8d5b12af0a09c575ffbdd7bf19b895cab4982b7f68a

SHA512
72ba764a542f0f61b0375a37e646d7bbdb78ca2b1aabedd33a42472e5a8099211311d699161ba51f03db6a46481556644542f991e7ef443eec2721d093b7da48

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
2.0MB

MD5
40c32c129e09d3eb618e27eb168aaadf

SHA1
6a35a5fa5a53ceba217c66562477e954aec8eb2b

SHA256
e09eaaa707261756f322c8d5b12af0a09c575ffbdd7bf19b895cab4982b7f68a

SHA512
72ba764a542f0f61b0375a37e646d7bbdb78ca2b1aabedd33a42472e5a8099211311d699161ba51f03db6a46481556644542f991e7ef443eec2721d093b7da48

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe

Filesize
127KB

MD5
2306789692c2e5e8ea14fe50fcb67f8a

SHA1
c8b5ebd3841889ece6b1fb8ee62d6b3aaf752912

SHA256
8fd9fe29be30f381199070f2c09d8213c0ac8be98836086052bb83fe53d7f6c3

SHA512
367d04fe143f81a78f78e997d32b97f8787a42f34da1026e99e990465243eb51dacd569e7ca298b40f7ba3e9e315249e23fcde60930af072ba5de10a568ded1b

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
1.3MB

MD5
8aeb2829342f8bb9acb171472da1d64e

SHA1
b04d798d1375c242273fd6a1d8553b9312663668

SHA256
9d0618a3a6027f47ebd85a126770e86f37e6e47b35f2175e7fde30acf1d73020

SHA512
2b3dfadd3dfc8ae36708774eecd78a183f60392742f8108c0e607f22e85e7046cf809e127a6cee36be3d0c81bb8b1cd553a46b960c9f41621cb1d5b0293b3db1

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
1.3MB

MD5
8aeb2829342f8bb9acb171472da1d64e

SHA1
b04d798d1375c242273fd6a1d8553b9312663668

SHA256
9d0618a3a6027f47ebd85a126770e86f37e6e47b35f2175e7fde30acf1d73020

SHA512
2b3dfadd3dfc8ae36708774eecd78a183f60392742f8108c0e607f22e85e7046cf809e127a6cee36be3d0c81bb8b1cd553a46b960c9f41621cb1d5b0293b3db1

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
1.3MB

MD5
8aeb2829342f8bb9acb171472da1d64e

SHA1
b04d798d1375c242273fd6a1d8553b9312663668

SHA256
9d0618a3a6027f47ebd85a126770e86f37e6e47b35f2175e7fde30acf1d73020

SHA512
2b3dfadd3dfc8ae36708774eecd78a183f60392742f8108c0e607f22e85e7046cf809e127a6cee36be3d0c81bb8b1cd553a46b960c9f41621cb1d5b0293b3db1

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
1.3MB

MD5
8aeb2829342f8bb9acb171472da1d64e

SHA1
b04d798d1375c242273fd6a1d8553b9312663668

SHA256
9d0618a3a6027f47ebd85a126770e86f37e6e47b35f2175e7fde30acf1d73020

SHA512
2b3dfadd3dfc8ae36708774eecd78a183f60392742f8108c0e607f22e85e7046cf809e127a6cee36be3d0c81bb8b1cd553a46b960c9f41621cb1d5b0293b3db1

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_qbOdWSNNuqquo2E.exe

Filesize
1.3MB

MD5
8aeb2829342f8bb9acb171472da1d64e

SHA1
b04d798d1375c242273fd6a1d8553b9312663668

SHA256
9d0618a3a6027f47ebd85a126770e86f37e6e47b35f2175e7fde30acf1d73020

SHA512
2b3dfadd3dfc8ae36708774eecd78a183f60392742f8108c0e607f22e85e7046cf809e127a6cee36be3d0c81bb8b1cd553a46b960c9f41621cb1d5b0293b3db1

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_qbOdWSNNuqquo2E.exe

Filesize
1.3MB

MD5
8aeb2829342f8bb9acb171472da1d64e

SHA1
b04d798d1375c242273fd6a1d8553b9312663668

SHA256
9d0618a3a6027f47ebd85a126770e86f37e6e47b35f2175e7fde30acf1d73020

SHA512
2b3dfadd3dfc8ae36708774eecd78a183f60392742f8108c0e607f22e85e7046cf809e127a6cee36be3d0c81bb8b1cd553a46b960c9f41621cb1d5b0293b3db1

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_qbOdWSNNuqquo2E.exe

Filesize
1.3MB

MD5
8aeb2829342f8bb9acb171472da1d64e

SHA1
b04d798d1375c242273fd6a1d8553b9312663668

SHA256
9d0618a3a6027f47ebd85a126770e86f37e6e47b35f2175e7fde30acf1d73020

SHA512
2b3dfadd3dfc8ae36708774eecd78a183f60392742f8108c0e607f22e85e7046cf809e127a6cee36be3d0c81bb8b1cd553a46b960c9f41621cb1d5b0293b3db1

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_qbOdWSNNuqquo2E.exe

Filesize
1.3MB

MD5
8aeb2829342f8bb9acb171472da1d64e

SHA1
b04d798d1375c242273fd6a1d8553b9312663668

SHA256
9d0618a3a6027f47ebd85a126770e86f37e6e47b35f2175e7fde30acf1d73020

SHA512
2b3dfadd3dfc8ae36708774eecd78a183f60392742f8108c0e607f22e85e7046cf809e127a6cee36be3d0c81bb8b1cd553a46b960c9f41621cb1d5b0293b3db1

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_qbOdWSNNuqquo2E.exe

Filesize
1.3MB

MD5
8aeb2829342f8bb9acb171472da1d64e

SHA1
b04d798d1375c242273fd6a1d8553b9312663668

SHA256
9d0618a3a6027f47ebd85a126770e86f37e6e47b35f2175e7fde30acf1d73020

SHA512
2b3dfadd3dfc8ae36708774eecd78a183f60392742f8108c0e607f22e85e7046cf809e127a6cee36be3d0c81bb8b1cd553a46b960c9f41621cb1d5b0293b3db1

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_qbOdWSNNuqquo2E.exe

Filesize
1.3MB

MD5
8aeb2829342f8bb9acb171472da1d64e

SHA1
b04d798d1375c242273fd6a1d8553b9312663668

SHA256
9d0618a3a6027f47ebd85a126770e86f37e6e47b35f2175e7fde30acf1d73020

SHA512
2b3dfadd3dfc8ae36708774eecd78a183f60392742f8108c0e607f22e85e7046cf809e127a6cee36be3d0c81bb8b1cd553a46b960c9f41621cb1d5b0293b3db1

Download Submit
memory/340-172-0x0000000000500000-0x0000000000540000-memory.dmp

Filesize
256KB

Download
memory/340-171-0x0000000000200000-0x0000000000226000-memory.dmp

Filesize
152KB

Download
memory/588-122-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/588-199-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/588-91-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/588-118-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/588-119-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/588-123-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/760-70-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/760-80-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/952-96-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/952-106-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/952-99-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/952-100-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/952-101-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/952-102-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/952-103-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/952-109-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/952-110-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/952-108-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/952-104-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/952-107-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/952-105-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1164-150-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1164-156-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1164-170-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1164-162-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1164-146-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1164-147-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1164-148-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1164-149-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1164-159-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1164-151-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1164-152-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1164-153-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1164-154-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1164-157-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1492-117-0x00000000002C0000-0x00000000002D4000-memory.dmp

Filesize
80KB

Download
memory/1492-125-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/1492-93-0x00000000012F0000-0x0000000001438000-memory.dmp

Filesize
1.3MB

Download
memory/1492-94-0x0000000004CC0000-0x0000000004D00000-memory.dmp

Filesize
256KB

Download
memory/1492-139-0x0000000000E80000-0x0000000000E86000-memory.dmp

Filesize
24KB

Download
memory/1492-142-0x000000000A210000-0x000000000A2F6000-memory.dmp

Filesize
920KB

Download
memory/1492-126-0x0000000005560000-0x0000000005682000-memory.dmp

Filesize
1.1MB

Download
memory/1492-120-0x0000000004CC0000-0x0000000004D00000-memory.dmp

Filesize
256KB

Download
memory/1564-116-0x00000000004F0000-0x0000000000504000-memory.dmp

Filesize
80KB

Download
memory/1564-95-0x0000000004270000-0x00000000042B0000-memory.dmp

Filesize
256KB

Download
memory/1564-121-0x0000000004270000-0x00000000042B0000-memory.dmp

Filesize
256KB

Download
memory/1564-92-0x0000000000930000-0x0000000000A78000-memory.dmp

Filesize
1.3MB

Download
memory/1680-141-0x00000000024A0000-0x00000000024E0000-memory.dmp

Filesize
256KB

Download
memory/1680-158-0x00000000024A0000-0x00000000024E0000-memory.dmp

Filesize
256KB

Download