snakekeylogger | bdec6f0bf7b4d3d3b78b6173b6c9fd053d80b86c43db8a9f2e7add084e4ecdc9

Resubmissions

04-04-2023 19:01

230404-xn7h9shd67 10

04-04-2023 17:14

230404-vsdewagh32 10

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04-04-2023 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qbOdWSNNuqquo2E.exe
Size

2.0MB
MD5

40c32c129e09d3eb618e27eb168aaadf
SHA1

6a35a5fa5a53ceba217c66562477e954aec8eb2b
SHA256

e09eaaa707261756f322c8d5b12af0a09c575ffbdd7bf19b895cab4982b7f68a
SHA512

72ba764a542f0f61b0375a37e646d7bbdb78ca2b1aabedd33a42472e5a8099211311d699161ba51f03db6a46481556644542f991e7ef443eec2721d093b7da48
SSDEEP

49152:6nsHyjtk2MYC5GDDMZEf4F0fVGJ2LxsL9ve049:6nsmtk2a1igSA2F0DU

Score

10^/10

snakekeylogger collection keylogger persistence spyware stealer

Malware Config

Extracted

Family

snakekeylogger

https://api.telegram.org/bot6241220793:AAFx6XFOw5z4Op7twC8hAqYib_mTz67Z4Ak/sendMessage?chat_id=2054148913

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1576-374-0x0000000000400000-0x00000000004E2000-memory.dmp	family_snakekeylogger
behavioral2/memory/1576-376-0x0000000000400000-0x00000000004E2000-memory.dmp	family_snakekeylogger
behavioral2/memory/1576-378-0x0000000000400000-0x00000000004E2000-memory.dmp	family_snakekeylogger
C:\Users\Admin\AppData\Local\Temp\._cache_._cache_qbOdWSNNuqquo2E.exe	family_snakekeylogger
behavioral2/memory/1576-442-0x0000000000400000-0x00000000004E2000-memory.dmp	family_snakekeylogger
C:\Users\Admin\AppData\Local\Temp\._cache_._cache_qbOdWSNNuqquo2E.exe	family_snakekeylogger
behavioral2/memory/1576-455-0x0000000000400000-0x00000000004E2000-memory.dmp	family_snakekeylogger
C:\Users\Admin\AppData\Local\Temp\._cache_._cache_qbOdWSNNuqquo2E.exe	family_snakekeylogger
behavioral2/memory/3988-456-0x0000000000790000-0x00000000007B6000-memory.dmp	family_snakekeylogger
behavioral2/memory/3988-485-0x0000000005360000-0x0000000005370000-memory.dmp	family_snakekeylogger

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

qbOdWSNNuqquo2E.exeSynaptics.exe._cache_qbOdWSNNuqquo2E.exe._cache_qbOdWSNNuqquo2E.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	qbOdWSNNuqquo2E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	._cache_qbOdWSNNuqquo2E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	._cache_qbOdWSNNuqquo2E.exe

Executes dropped EXE 5 IoCs

Processes:

._cache_qbOdWSNNuqquo2E.exeSynaptics.exe._cache_Synaptics.exe._cache_qbOdWSNNuqquo2E.exe._cache_._cache_qbOdWSNNuqquo2E.exe

pid	process
216	._cache_qbOdWSNNuqquo2E.exe
1324	Synaptics.exe
2720	._cache_Synaptics.exe
1576	._cache_qbOdWSNNuqquo2E.exe
3988	._cache_._cache_qbOdWSNNuqquo2E.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

._cache_._cache_qbOdWSNNuqquo2E.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_._cache_qbOdWSNNuqquo2E.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_._cache_qbOdWSNNuqquo2E.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_._cache_qbOdWSNNuqquo2E.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

qbOdWSNNuqquo2E.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	qbOdWSNNuqquo2E.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

53 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

._cache_qbOdWSNNuqquo2E.exe

description pid process target process

PID 216 set thread context of 1576 216 ._cache_qbOdWSNNuqquo2E.exe ._cache_qbOdWSNNuqquo2E.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1652 2720 WerFault.exe ._cache_Synaptics.exe

flow	ioc
53	checkip.dyndns.org

description	pid	process	target process
PID 216 set thread context of 1576	216	._cache_qbOdWSNNuqquo2E.exe	._cache_qbOdWSNNuqquo2E.exe

pid	pid_target	process	target process
1652	2720	WerFault.exe	._cache_Synaptics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2008 schtasks.exe

pid	process
2008	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Modifies registry class 3 IoCs

Processes:

qbOdWSNNuqquo2E.exeSynaptics.exe._cache_qbOdWSNNuqquo2E.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	qbOdWSNNuqquo2E.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_qbOdWSNNuqquo2E.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4316 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exe._cache_._cache_qbOdWSNNuqquo2E.exe

pid process

3968 powershell.exe
3968 powershell.exe
3988 ._cache_._cache_qbOdWSNNuqquo2E.exe
3988 ._cache_._cache_qbOdWSNNuqquo2E.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exe._cache_._cache_qbOdWSNNuqquo2E.exe

description pid process

Token: SeDebugPrivilege 3968 powershell.exe
Token: SeDebugPrivilege 3988 ._cache_._cache_qbOdWSNNuqquo2E.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

EXCEL.EXE

pid process

4316 EXCEL.EXE
4316 EXCEL.EXE
4316 EXCEL.EXE
4316 EXCEL.EXE

pid	process
4316	EXCEL.EXE

pid	process
3968	powershell.exe
3968	powershell.exe
3988	._cache_._cache_qbOdWSNNuqquo2E.exe
3988	._cache_._cache_qbOdWSNNuqquo2E.exe

description	pid	process
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeDebugPrivilege	3988	._cache_._cache_qbOdWSNNuqquo2E.exe

pid	process
4316	EXCEL.EXE
4316	EXCEL.EXE
4316	EXCEL.EXE
4316	EXCEL.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

qbOdWSNNuqquo2E.exeSynaptics.exe._cache_qbOdWSNNuqquo2E.exe._cache_qbOdWSNNuqquo2E.exe

description	pid	process	target process
PID 1312 wrote to memory of 216	1312	qbOdWSNNuqquo2E.exe	._cache_qbOdWSNNuqquo2E.exe
PID 1312 wrote to memory of 216	1312	qbOdWSNNuqquo2E.exe	._cache_qbOdWSNNuqquo2E.exe
PID 1312 wrote to memory of 216	1312	qbOdWSNNuqquo2E.exe	._cache_qbOdWSNNuqquo2E.exe
PID 1312 wrote to memory of 1324	1312	qbOdWSNNuqquo2E.exe	Synaptics.exe
PID 1312 wrote to memory of 1324	1312	qbOdWSNNuqquo2E.exe	Synaptics.exe
PID 1312 wrote to memory of 1324	1312	qbOdWSNNuqquo2E.exe	Synaptics.exe
PID 1324 wrote to memory of 2720	1324	Synaptics.exe	._cache_Synaptics.exe
PID 1324 wrote to memory of 2720	1324	Synaptics.exe	._cache_Synaptics.exe
PID 1324 wrote to memory of 2720	1324	Synaptics.exe	._cache_Synaptics.exe
PID 216 wrote to memory of 3968	216	._cache_qbOdWSNNuqquo2E.exe	powershell.exe
PID 216 wrote to memory of 3968	216	._cache_qbOdWSNNuqquo2E.exe	powershell.exe
PID 216 wrote to memory of 3968	216	._cache_qbOdWSNNuqquo2E.exe	powershell.exe
PID 216 wrote to memory of 2008	216	._cache_qbOdWSNNuqquo2E.exe	schtasks.exe
PID 216 wrote to memory of 2008	216	._cache_qbOdWSNNuqquo2E.exe	schtasks.exe
PID 216 wrote to memory of 2008	216	._cache_qbOdWSNNuqquo2E.exe	schtasks.exe
PID 216 wrote to memory of 1576	216	._cache_qbOdWSNNuqquo2E.exe	._cache_qbOdWSNNuqquo2E.exe
PID 216 wrote to memory of 1576	216	._cache_qbOdWSNNuqquo2E.exe	._cache_qbOdWSNNuqquo2E.exe
PID 216 wrote to memory of 1576	216	._cache_qbOdWSNNuqquo2E.exe	._cache_qbOdWSNNuqquo2E.exe
PID 216 wrote to memory of 1576	216	._cache_qbOdWSNNuqquo2E.exe	._cache_qbOdWSNNuqquo2E.exe
PID 216 wrote to memory of 1576	216	._cache_qbOdWSNNuqquo2E.exe	._cache_qbOdWSNNuqquo2E.exe
PID 216 wrote to memory of 1576	216	._cache_qbOdWSNNuqquo2E.exe	._cache_qbOdWSNNuqquo2E.exe
PID 216 wrote to memory of 1576	216	._cache_qbOdWSNNuqquo2E.exe	._cache_qbOdWSNNuqquo2E.exe
PID 216 wrote to memory of 1576	216	._cache_qbOdWSNNuqquo2E.exe	._cache_qbOdWSNNuqquo2E.exe
PID 216 wrote to memory of 1576	216	._cache_qbOdWSNNuqquo2E.exe	._cache_qbOdWSNNuqquo2E.exe
PID 216 wrote to memory of 1576	216	._cache_qbOdWSNNuqquo2E.exe	._cache_qbOdWSNNuqquo2E.exe
PID 216 wrote to memory of 1576	216	._cache_qbOdWSNNuqquo2E.exe	._cache_qbOdWSNNuqquo2E.exe
PID 1576 wrote to memory of 3988	1576	._cache_qbOdWSNNuqquo2E.exe	._cache_._cache_qbOdWSNNuqquo2E.exe
PID 1576 wrote to memory of 3988	1576	._cache_qbOdWSNNuqquo2E.exe	._cache_._cache_qbOdWSNNuqquo2E.exe
PID 1576 wrote to memory of 3988	1576	._cache_qbOdWSNNuqquo2E.exe	._cache_._cache_qbOdWSNNuqquo2E.exe

outlook_office_path 1 IoCs

Processes:

._cache_._cache_qbOdWSNNuqquo2E.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_._cache_qbOdWSNNuqquo2E.exe

outlook_win_path 1 IoCs

Processes:

._cache_._cache_qbOdWSNNuqquo2E.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_._cache_qbOdWSNNuqquo2E.exe

C:\Users\Admin\AppData\Local\Temp\qbOdWSNNuqquo2E.exe
"C:\Users\Admin\AppData\Local\Temp\qbOdWSNNuqquo2E.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1312

C:\Users\Admin\AppData\Local\Temp\._cache_qbOdWSNNuqquo2E.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_qbOdWSNNuqquo2E.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bRBgyCtm.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bRBgyCtm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3CCA.tmp"
3⤵
- Creates scheduled task(s)
PID:2008

C:\Users\Admin\AppData\Local\Temp\._cache_qbOdWSNNuqquo2E.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_qbOdWSNNuqquo2E.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1576

C:\Users\Admin\AppData\Local\Temp\._cache_._cache_qbOdWSNNuqquo2E.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_._cache_qbOdWSNNuqquo2E.exe"
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3988

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1324

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
3⤵
- Executes dropped EXE
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 1220
4⤵
- Program crash
PID:1652

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2720 -ip 2720
1⤵
PID:3420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe
Filesize
2.0MB

MD5
40c32c129e09d3eb618e27eb168aaadf

SHA1
6a35a5fa5a53ceba217c66562477e954aec8eb2b

SHA256
e09eaaa707261756f322c8d5b12af0a09c575ffbdd7bf19b895cab4982b7f68a

SHA512
72ba764a542f0f61b0375a37e646d7bbdb78ca2b1aabedd33a42472e5a8099211311d699161ba51f03db6a46481556644542f991e7ef443eec2721d093b7da48

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
Filesize
2.0MB

MD5
40c32c129e09d3eb618e27eb168aaadf

SHA1
6a35a5fa5a53ceba217c66562477e954aec8eb2b

SHA256
e09eaaa707261756f322c8d5b12af0a09c575ffbdd7bf19b895cab4982b7f68a

SHA512
72ba764a542f0f61b0375a37e646d7bbdb78ca2b1aabedd33a42472e5a8099211311d699161ba51f03db6a46481556644542f991e7ef443eec2721d093b7da48

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
Filesize
2.0MB

MD5
40c32c129e09d3eb618e27eb168aaadf

SHA1
6a35a5fa5a53ceba217c66562477e954aec8eb2b

SHA256
e09eaaa707261756f322c8d5b12af0a09c575ffbdd7bf19b895cab4982b7f68a

SHA512
72ba764a542f0f61b0375a37e646d7bbdb78ca2b1aabedd33a42472e5a8099211311d699161ba51f03db6a46481556644542f991e7ef443eec2721d093b7da48

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_._cache_qbOdWSNNuqquo2E.exe
Filesize
127KB

MD5
2306789692c2e5e8ea14fe50fcb67f8a

SHA1
c8b5ebd3841889ece6b1fb8ee62d6b3aaf752912

SHA256
8fd9fe29be30f381199070f2c09d8213c0ac8be98836086052bb83fe53d7f6c3

SHA512
367d04fe143f81a78f78e997d32b97f8787a42f34da1026e99e990465243eb51dacd569e7ca298b40f7ba3e9e315249e23fcde60930af072ba5de10a568ded1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_._cache_qbOdWSNNuqquo2E.exe
Filesize
127KB

MD5
2306789692c2e5e8ea14fe50fcb67f8a

SHA1
c8b5ebd3841889ece6b1fb8ee62d6b3aaf752912

SHA256
8fd9fe29be30f381199070f2c09d8213c0ac8be98836086052bb83fe53d7f6c3

SHA512
367d04fe143f81a78f78e997d32b97f8787a42f34da1026e99e990465243eb51dacd569e7ca298b40f7ba3e9e315249e23fcde60930af072ba5de10a568ded1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_._cache_qbOdWSNNuqquo2E.exe
Filesize
127KB

MD5
2306789692c2e5e8ea14fe50fcb67f8a

SHA1
c8b5ebd3841889ece6b1fb8ee62d6b3aaf752912

SHA256
8fd9fe29be30f381199070f2c09d8213c0ac8be98836086052bb83fe53d7f6c3

SHA512
367d04fe143f81a78f78e997d32b97f8787a42f34da1026e99e990465243eb51dacd569e7ca298b40f7ba3e9e315249e23fcde60930af072ba5de10a568ded1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
Filesize
1.3MB

MD5
8aeb2829342f8bb9acb171472da1d64e

SHA1
b04d798d1375c242273fd6a1d8553b9312663668

SHA256
9d0618a3a6027f47ebd85a126770e86f37e6e47b35f2175e7fde30acf1d73020

SHA512
2b3dfadd3dfc8ae36708774eecd78a183f60392742f8108c0e607f22e85e7046cf809e127a6cee36be3d0c81bb8b1cd553a46b960c9f41621cb1d5b0293b3db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
Filesize
1.3MB

MD5
8aeb2829342f8bb9acb171472da1d64e

SHA1
b04d798d1375c242273fd6a1d8553b9312663668

SHA256
9d0618a3a6027f47ebd85a126770e86f37e6e47b35f2175e7fde30acf1d73020

SHA512
2b3dfadd3dfc8ae36708774eecd78a183f60392742f8108c0e607f22e85e7046cf809e127a6cee36be3d0c81bb8b1cd553a46b960c9f41621cb1d5b0293b3db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_qbOdWSNNuqquo2E.exe
Filesize
1.3MB

MD5
8aeb2829342f8bb9acb171472da1d64e

SHA1
b04d798d1375c242273fd6a1d8553b9312663668

SHA256
9d0618a3a6027f47ebd85a126770e86f37e6e47b35f2175e7fde30acf1d73020

SHA512
2b3dfadd3dfc8ae36708774eecd78a183f60392742f8108c0e607f22e85e7046cf809e127a6cee36be3d0c81bb8b1cd553a46b960c9f41621cb1d5b0293b3db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_qbOdWSNNuqquo2E.exe
Filesize
1.3MB

MD5
8aeb2829342f8bb9acb171472da1d64e

SHA1
b04d798d1375c242273fd6a1d8553b9312663668

SHA256
9d0618a3a6027f47ebd85a126770e86f37e6e47b35f2175e7fde30acf1d73020

SHA512
2b3dfadd3dfc8ae36708774eecd78a183f60392742f8108c0e607f22e85e7046cf809e127a6cee36be3d0c81bb8b1cd553a46b960c9f41621cb1d5b0293b3db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_qbOdWSNNuqquo2E.exe
Filesize
1.3MB

MD5
8aeb2829342f8bb9acb171472da1d64e

SHA1
b04d798d1375c242273fd6a1d8553b9312663668

SHA256
9d0618a3a6027f47ebd85a126770e86f37e6e47b35f2175e7fde30acf1d73020

SHA512
2b3dfadd3dfc8ae36708774eecd78a183f60392742f8108c0e607f22e85e7046cf809e127a6cee36be3d0c81bb8b1cd553a46b960c9f41621cb1d5b0293b3db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_qbOdWSNNuqquo2E.exe
Filesize
1.3MB

MD5
8aeb2829342f8bb9acb171472da1d64e

SHA1
b04d798d1375c242273fd6a1d8553b9312663668

SHA256
9d0618a3a6027f47ebd85a126770e86f37e6e47b35f2175e7fde30acf1d73020

SHA512
2b3dfadd3dfc8ae36708774eecd78a183f60392742f8108c0e607f22e85e7046cf809e127a6cee36be3d0c81bb8b1cd553a46b960c9f41621cb1d5b0293b3db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nf0waeu3.udf.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\eP7CGZqh.xlsm
Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3CCA.tmp
Filesize
1KB

MD5
3146a61fe7904fcbeb366e9cfece6363

SHA1
9f49579a8adec46f3737391e99a2fc81b4a43ad7

SHA256
ef1c1262b48eb73e592f082bb4d4ee737ccac0a7b993b2c309e823aa6245839c

SHA512
fd4109af9b867f179b2106e66e8295957a3e64751faea73d72b078c6019af859412ed1d3cb8b3b5f418d0e51cf217b50a90ef21bbcda6135fb24e0447c5bd020

Download Submit
memory/216-352-0x0000000005B20000-0x0000000005B30000-memory.dmp

Filesize
64KB

Download
memory/216-327-0x0000000005B20000-0x0000000005B30000-memory.dmp

Filesize
64KB

Download
memory/216-363-0x0000000007780000-0x000000000781C000-memory.dmp

Filesize
624KB

Download
memory/216-314-0x00000000059D0000-0x0000000005A62000-memory.dmp

Filesize
584KB

Download
memory/216-326-0x0000000005AA0000-0x0000000005AAA000-memory.dmp

Filesize
40KB

Download
memory/216-313-0x0000000006040000-0x00000000065E4000-memory.dmp

Filesize
5.6MB

Download
memory/216-264-0x0000000000EE0000-0x0000000001028000-memory.dmp

Filesize
1.3MB

Download
memory/1312-183-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/1312-261-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/1324-358-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/1324-341-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/1324-491-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/1324-505-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/1324-324-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/1576-374-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1576-442-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1576-443-0x0000000001670000-0x0000000001671000-memory.dmp

Filesize
4KB

Download
memory/1576-455-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1576-378-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1576-376-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2720-353-0x00000000058A0000-0x00000000058B0000-memory.dmp

Filesize
64KB

Download
memory/2720-328-0x00000000058A0000-0x00000000058B0000-memory.dmp

Filesize
64KB

Download
memory/3968-382-0x00000000059C0000-0x0000000005A26000-memory.dmp

Filesize
408KB

Download
memory/3968-459-0x0000000006620000-0x0000000006652000-memory.dmp

Filesize
200KB

Download
memory/3968-369-0x0000000004B30000-0x0000000004B66000-memory.dmp

Filesize
216KB

Download
memory/3968-381-0x00000000051F0000-0x0000000005212000-memory.dmp

Filesize
136KB

Download
memory/3968-372-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/3968-474-0x00000000073D0000-0x00000000073EA000-memory.dmp

Filesize
104KB

Download
memory/3968-388-0x0000000005AA0000-0x0000000005B06000-memory.dmp

Filesize
408KB

Download
memory/3968-444-0x00000000060D0000-0x00000000060EE000-memory.dmp

Filesize
120KB

Download
memory/3968-470-0x00000000066E0000-0x00000000066FE000-memory.dmp

Filesize
120KB

Download
memory/3968-371-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/3968-472-0x000000007FAE0000-0x000000007FAF0000-memory.dmp

Filesize
64KB

Download
memory/3968-477-0x0000000007610000-0x000000000761E000-memory.dmp

Filesize
56KB

Download
memory/3968-479-0x0000000007720000-0x000000000773A000-memory.dmp

Filesize
104KB

Download
memory/3968-480-0x0000000007700000-0x0000000007708000-memory.dmp

Filesize
32KB

Download
memory/3968-373-0x0000000005290000-0x00000000058B8000-memory.dmp

Filesize
6.2MB

Download
memory/3968-473-0x0000000007A10000-0x000000000808A000-memory.dmp

Filesize
6.5MB

Download
memory/3968-458-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/3968-476-0x0000000007660000-0x00000000076F6000-memory.dmp

Filesize
600KB

Download
memory/3968-460-0x0000000073680000-0x00000000736CC000-memory.dmp

Filesize
304KB

Download
memory/3968-475-0x0000000007440000-0x000000000744A000-memory.dmp

Filesize
40KB

Download
memory/3988-456-0x0000000000790000-0x00000000007B6000-memory.dmp

Filesize
152KB

Download
memory/3988-457-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/3988-478-0x0000000006440000-0x0000000006602000-memory.dmp

Filesize
1.8MB

Download
memory/3988-485-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/4316-354-0x0000016C13B30000-0x0000016C13CD9000-memory.dmp

Filesize
1.7MB

Download
memory/4316-335-0x00007FFFB6230000-0x00007FFFB6240000-memory.dmp

Filesize
64KB

Download
memory/4316-334-0x00007FFFB6230000-0x00007FFFB6240000-memory.dmp

Filesize
64KB

Download
memory/4316-333-0x00007FFFB8410000-0x00007FFFB8420000-memory.dmp

Filesize
64KB

Download
memory/4316-332-0x00007FFFB8410000-0x00007FFFB8420000-memory.dmp

Filesize
64KB

Download
memory/4316-331-0x00007FFFB8410000-0x00007FFFB8420000-memory.dmp

Filesize
64KB

Download
memory/4316-330-0x00007FFFB8410000-0x00007FFFB8420000-memory.dmp

Filesize
64KB

Download
memory/4316-329-0x00007FFFB8410000-0x00007FFFB8420000-memory.dmp

Filesize
64KB

Download