snakekeylogger | 50adf3d89dae3573c0ce2b3152cb50f5938e561e884657430752fcea2573eb8b

Analysis

max time kernel
148s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2023 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f149fac933a5eb6928c7c97e6272f2f3f5af71fcb93f9850a22b24a19d0755b.exe
Size

480KB
MD5

43a01a183b3a8ae84d610a0d32deadc1
SHA1

dafabf5c99f8e872dc97cfaef742d57102f598b4
SHA256

0f149fac933a5eb6928c7c97e6272f2f3f5af71fcb93f9850a22b24a19d0755b
SHA512

3c5133e25a7555b94450efc03c7cae7b605fdaa48f9d5c58f3d50bc0334d727fb6fe286c1fb9e2bdd4162b05f3dc0150ea2fadeeff8e3de98d313de5e05b13c8
SSDEEP

12288:H7RN1oI4HAZvbdimEhbV0HAFwpTpBU073FEggkUpRgCKP+:HP4AZzdimEh71gCKP+

Score

10^/10

snakekeylogger keylogger link miner pdf stealer upx

Malware Config

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\FCPreScan\vir_sig\vir_high_flat_sig	family_snakekeylogger

Detectes Phoenix Miner Payload 1 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\FCPreScan\vir_sig\vir_high_flat_sig	miner_phoenix

Drops file in Drivers directory 1 IoCs

Processes:

av_task.exe

description ioc process

File created C:\Windows\system32\Drivers\mdare64_64.sys av_task.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\mdare64_64.sys	av_task.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0f149fac933a5eb6928c7c97e6272f2f3f5af71fcb93f9850a22b24a19d0755b.exeFortiClientOfflineVirusCleaner.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation	0f149fac933a5eb6928c7c97e6272f2f3f5af71fcb93f9850a22b24a19d0755b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation	FortiClientOfflineVirusCleaner.exe

Executes dropped EXE 3 IoCs

Processes:

FortiClientOfflineVirusCleaner.exeav_task.exeav_task.exe

pid process

1688 FortiClientOfflineVirusCleaner.exe
1856 av_task.exe
4728 av_task.exe

pid	process
1688	FortiClientOfflineVirusCleaner.exe
1856	av_task.exe
4728	av_task.exe

Loads dropped DLL 16 IoCs

Processes:

av_task.exeav_task.exe

pid	process
1856	av_task.exe
1856	av_task.exe
1856	av_task.exe
1856	av_task.exe
1856	av_task.exe
1856	av_task.exe
1856	av_task.exe
1856	av_task.exe
4728	av_task.exe
4728	av_task.exe
4728	av_task.exe
4728	av_task.exe
4728	av_task.exe
4728	av_task.exe
4728	av_task.exe
4728	av_task.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/900-0-0x0000000000AB0000-0x0000000000BBA000-memory.dmp	upx
behavioral2/memory/900-15-0x0000000000AB0000-0x0000000000BBA000-memory.dmp	upx
behavioral2/memory/900-40-0x0000000000AB0000-0x0000000000BBA000-memory.dmp	upx
behavioral2/memory/900-81-0x0000000000AB0000-0x0000000000BBA000-memory.dmp	upx

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\FCPreScan\vir_sig\vir_high_flat_sig	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

Processes:

0f149fac933a5eb6928c7c97e6272f2f3f5af71fcb93f9850a22b24a19d0755b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}\InProcServer32	0f149fac933a5eb6928c7c97e6272f2f3f5af71fcb93f9850a22b24a19d0755b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}\InProcServer32\ = "diskcopy.dll"	0f149fac933a5eb6928c7c97e6272f2f3f5af71fcb93f9850a22b24a19d0755b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}\InProcServer32\ThreadingModel = "Apartment"	0f149fac933a5eb6928c7c97e6272f2f3f5af71fcb93f9850a22b24a19d0755b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}\InProcServer32\AppID = "{7AB3B90F-BE6C-47CF-A2A6-6A4A2663AD6E}"	0f149fac933a5eb6928c7c97e6272f2f3f5af71fcb93f9850a22b24a19d0755b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}	0f149fac933a5eb6928c7c97e6272f2f3f5af71fcb93f9850a22b24a19d0755b.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

0f149fac933a5eb6928c7c97e6272f2f3f5af71fcb93f9850a22b24a19d0755b.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	0f149fac933a5eb6928c7c97e6272f2f3f5af71fcb93f9850a22b24a19d0755b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	0f149fac933a5eb6928c7c97e6272f2f3f5af71fcb93f9850a22b24a19d0755b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	0f149fac933a5eb6928c7c97e6272f2f3f5af71fcb93f9850a22b24a19d0755b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0f149fac933a5eb6928c7c97e6272f2f3f5af71fcb93f9850a22b24a19d0755b.exe

pid	process
900	0f149fac933a5eb6928c7c97e6272f2f3f5af71fcb93f9850a22b24a19d0755b.exe
900	0f149fac933a5eb6928c7c97e6272f2f3f5af71fcb93f9850a22b24a19d0755b.exe

Suspicious behavior: LoadsDriver 30 IoCs

Processes:

pid process

660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660

pid	process
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

av_task.exeav_task.exe

description	pid	process
Token: SeBackupPrivilege	1856	av_task.exe
Token: SeDebugPrivilege	1856	av_task.exe
Token: SeDebugPrivilege	1856	av_task.exe
Token: SeBackupPrivilege	4728	av_task.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

av_task.exe

pid process

1856 av_task.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

FortiClientOfflineVirusCleaner.exe

pid process

1688 FortiClientOfflineVirusCleaner.exe
1688 FortiClientOfflineVirusCleaner.exe

pid	process
1688	FortiClientOfflineVirusCleaner.exe
1688	FortiClientOfflineVirusCleaner.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0f149fac933a5eb6928c7c97e6272f2f3f5af71fcb93f9850a22b24a19d0755b.exeFortiClientOfflineVirusCleaner.exeav_task.exe

description	pid	process	target process
PID 900 wrote to memory of 1688	900	0f149fac933a5eb6928c7c97e6272f2f3f5af71fcb93f9850a22b24a19d0755b.exe	FortiClientOfflineVirusCleaner.exe
PID 900 wrote to memory of 1688	900	0f149fac933a5eb6928c7c97e6272f2f3f5af71fcb93f9850a22b24a19d0755b.exe	FortiClientOfflineVirusCleaner.exe
PID 900 wrote to memory of 1688	900	0f149fac933a5eb6928c7c97e6272f2f3f5af71fcb93f9850a22b24a19d0755b.exe	FortiClientOfflineVirusCleaner.exe
PID 1688 wrote to memory of 1856	1688	FortiClientOfflineVirusCleaner.exe	av_task.exe
PID 1688 wrote to memory of 1856	1688	FortiClientOfflineVirusCleaner.exe	av_task.exe
PID 1688 wrote to memory of 1856	1688	FortiClientOfflineVirusCleaner.exe	av_task.exe
PID 1856 wrote to memory of 4728	1856	av_task.exe	av_task.exe
PID 1856 wrote to memory of 4728	1856	av_task.exe	av_task.exe
PID 1856 wrote to memory of 4728	1856	av_task.exe	av_task.exe

C:\Users\Admin\AppData\Local\Temp\0f149fac933a5eb6928c7c97e6272f2f3f5af71fcb93f9850a22b24a19d0755b.exe
"C:\Users\Admin\AppData\Local\Temp\0f149fac933a5eb6928c7c97e6272f2f3f5af71fcb93f9850a22b24a19d0755b.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\AppData\Local\Temp\FortiClientOfflineVirusCleaner.exe
"C:\Users\Admin\AppData\Local\Temp\FortiClientOfflineVirusCleaner.exe" -q
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Local\Temp\FCPreScan\av_task.exe
"C:\Users\Admin\AppData\Local\Temp\FCPreScan\av_task.exe" -i -q -x
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1856

C:\Users\Admin\AppData\Local\Temp\FCPreScan\av_task.exe
"C:\Users\Admin\AppData\Local\Temp\FCPreScan\av_task.exe" -c 57685 -i -q -l "C:\Users\Admin\AppData\Local\Temp\FCPreScan\logs\avscan_1856.log" -v "C:\Users\Admin\AppData\Local\Temp\17A2B82A-5760-44E6-807F-B5B210EB98B3\F0B8352E-37CC-4ED9-9809-FCD1B4A2CB30"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FCPreScan\LIBEAY32.dll

Filesize
1.2MB

MD5
400e637b1194d1cdcb005cda694925d9

SHA1
08f2b715c1f1d65a8c7e2167e4d4b12b4184cff8

SHA256
a48235cc90239cc6b33aa98fff057f01d9bbbf0a5ba516c8aca210aec0906d6f

SHA512
ca684770aac292959dbc099171e7e034e1d1231c46006ba94ecc946c1f3f238f5fb2dce9158d8e10424d00403e34c7c21365f558a8365251020c9ae17916def0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCPreScan\MSVCP120.dll

Filesize
444KB

MD5
fd5cabbe52272bd76007b68186ebaf00

SHA1
efd1e306c1092c17f6944cc6bf9a1bfad4d14613

SHA256
87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608

SHA512
1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCPreScan\MSVCR120.dll

Filesize
948KB

MD5
034ccadc1c073e4216e9466b720f9849

SHA1
f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

SHA256
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

SHA512
5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCPreScan\av_task.exe

Filesize
160KB

MD5
7df9a9b2eaa7ee44ec694f341adde5a1

SHA1
d5306b2dcb9712248cd775aa699b5a6554143954

SHA256
c8d5bba0d454b5f01d462ecd570537df770ba9992b6f7210fe5396a82649a390

SHA512
20c8303a857501eab739c7e286cffb5f2cdbb68ec115cc4fe1488160de56a56d535d7e846fceee63bd2549c270816490f5ccd974ac0b401cfaf78c9833a91357

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCPreScan\av_task.exe

Filesize
160KB

MD5
7df9a9b2eaa7ee44ec694f341adde5a1

SHA1
d5306b2dcb9712248cd775aa699b5a6554143954

SHA256
c8d5bba0d454b5f01d462ecd570537df770ba9992b6f7210fe5396a82649a390

SHA512
20c8303a857501eab739c7e286cffb5f2cdbb68ec115cc4fe1488160de56a56d535d7e846fceee63bd2549c270816490f5ccd974ac0b401cfaf78c9833a91357

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCPreScan\av_task.exe

Filesize
160KB

MD5
7df9a9b2eaa7ee44ec694f341adde5a1

SHA1
d5306b2dcb9712248cd775aa699b5a6554143954

SHA256
c8d5bba0d454b5f01d462ecd570537df770ba9992b6f7210fe5396a82649a390

SHA512
20c8303a857501eab739c7e286cffb5f2cdbb68ec115cc4fe1488160de56a56d535d7e846fceee63bd2549c270816490f5ccd974ac0b401cfaf78c9833a91357

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCPreScan\av_task.exe

Filesize
160KB

MD5
7df9a9b2eaa7ee44ec694f341adde5a1

SHA1
d5306b2dcb9712248cd775aa699b5a6554143954

SHA256
c8d5bba0d454b5f01d462ecd570537df770ba9992b6f7210fe5396a82649a390

SHA512
20c8303a857501eab739c7e286cffb5f2cdbb68ec115cc4fe1488160de56a56d535d7e846fceee63bd2549c270816490f5ccd974ac0b401cfaf78c9833a91357

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCPreScan\libav.dll

Filesize
2.1MB

MD5
03e7a3c18dbea2f639224b4ebae97b00

SHA1
e400bf02da1c559547d91d9671ddb43a046078ce

SHA256
845cb2b3fc588d045de6abea4f0f9f0b2ae6eea9d6a2f9bb771f72cdf0ad0fdc

SHA512
45bad4b6d660d03f6a9586e489a60fe4b6d817e157689f686f2f6ce1a8583f1b97ad122844819fcaad8730f807072b698e00619cf16f04702ed15b2d56b5a25f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCPreScan\libav.dll

Filesize
2.1MB

MD5
03e7a3c18dbea2f639224b4ebae97b00

SHA1
e400bf02da1c559547d91d9671ddb43a046078ce

SHA256
845cb2b3fc588d045de6abea4f0f9f0b2ae6eea9d6a2f9bb771f72cdf0ad0fdc

SHA512
45bad4b6d660d03f6a9586e489a60fe4b6d817e157689f686f2f6ce1a8583f1b97ad122844819fcaad8730f807072b698e00619cf16f04702ed15b2d56b5a25f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCPreScan\libav.dll

Filesize
2.1MB

MD5
03e7a3c18dbea2f639224b4ebae97b00

SHA1
e400bf02da1c559547d91d9671ddb43a046078ce

SHA256
845cb2b3fc588d045de6abea4f0f9f0b2ae6eea9d6a2f9bb771f72cdf0ad0fdc

SHA512
45bad4b6d660d03f6a9586e489a60fe4b6d817e157689f686f2f6ce1a8583f1b97ad122844819fcaad8730f807072b698e00619cf16f04702ed15b2d56b5a25f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCPreScan\libavr.dll

Filesize
126KB

MD5
332db177756cceeeedacb4698b72bb9c

SHA1
cfbfbbd3c88a62bf0731936d376fcb5d6dd1ec00

SHA256
11bfba78b2d14e0993f9f361434b21f5e1b55084f92127fd70a3b6317b2dbb6e

SHA512
5928809f667834ff6c03702b94774c83017779de931765d6a2b690ae4cc3e35fc74bc9db1306da5bf55852a33307f15b72e6a116c2e3e5bcf28caeb82af542a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCPreScan\libavr.dll

Filesize
126KB

MD5
332db177756cceeeedacb4698b72bb9c

SHA1
cfbfbbd3c88a62bf0731936d376fcb5d6dd1ec00

SHA256
11bfba78b2d14e0993f9f361434b21f5e1b55084f92127fd70a3b6317b2dbb6e

SHA512
5928809f667834ff6c03702b94774c83017779de931765d6a2b690ae4cc3e35fc74bc9db1306da5bf55852a33307f15b72e6a116c2e3e5bcf28caeb82af542a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCPreScan\libavr.dll

Filesize
126KB

MD5
332db177756cceeeedacb4698b72bb9c

SHA1
cfbfbbd3c88a62bf0731936d376fcb5d6dd1ec00

SHA256
11bfba78b2d14e0993f9f361434b21f5e1b55084f92127fd70a3b6317b2dbb6e

SHA512
5928809f667834ff6c03702b94774c83017779de931765d6a2b690ae4cc3e35fc74bc9db1306da5bf55852a33307f15b72e6a116c2e3e5bcf28caeb82af542a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCPreScan\libeay32.dll

Filesize
1.2MB

MD5
400e637b1194d1cdcb005cda694925d9

SHA1
08f2b715c1f1d65a8c7e2167e4d4b12b4184cff8

SHA256
a48235cc90239cc6b33aa98fff057f01d9bbbf0a5ba516c8aca210aec0906d6f

SHA512
ca684770aac292959dbc099171e7e034e1d1231c46006ba94ecc946c1f3f238f5fb2dce9158d8e10424d00403e34c7c21365f558a8365251020c9ae17916def0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCPreScan\libeay32.dll

Filesize
1.2MB

MD5
400e637b1194d1cdcb005cda694925d9

SHA1
08f2b715c1f1d65a8c7e2167e4d4b12b4184cff8

SHA256
a48235cc90239cc6b33aa98fff057f01d9bbbf0a5ba516c8aca210aec0906d6f

SHA512
ca684770aac292959dbc099171e7e034e1d1231c46006ba94ecc946c1f3f238f5fb2dce9158d8e10424d00403e34c7c21365f558a8365251020c9ae17916def0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCPreScan\mdare.dll

Filesize
1.2MB

MD5
e2e0a967792fc9bffebfa3e03fe0bddc

SHA1
b984157c0f060c1d3c3ef4457ffc913940cd51f8

SHA256
37dca23d14d17120f567b31d13813fb01968fa9df1f1cad18e54d4c725c4c1e8

SHA512
ca0f02fbc49878e571efa82ee601063f3d27fce5173f35ba241e908ee58251cb674b379bde3fc280132ecacc9ef91d7a0a69b6e29465b08324736fc615e08328

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCPreScan\mdare.dll

Filesize
1.2MB

MD5
e2e0a967792fc9bffebfa3e03fe0bddc

SHA1
b984157c0f060c1d3c3ef4457ffc913940cd51f8

SHA256
37dca23d14d17120f567b31d13813fb01968fa9df1f1cad18e54d4c725c4c1e8

SHA512
ca0f02fbc49878e571efa82ee601063f3d27fce5173f35ba241e908ee58251cb674b379bde3fc280132ecacc9ef91d7a0a69b6e29465b08324736fc615e08328

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCPreScan\mdare.dll

Filesize
1.2MB

MD5
e2e0a967792fc9bffebfa3e03fe0bddc

SHA1
b984157c0f060c1d3c3ef4457ffc913940cd51f8

SHA256
37dca23d14d17120f567b31d13813fb01968fa9df1f1cad18e54d4c725c4c1e8

SHA512
ca0f02fbc49878e571efa82ee601063f3d27fce5173f35ba241e908ee58251cb674b379bde3fc280132ecacc9ef91d7a0a69b6e29465b08324736fc615e08328

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCPreScan\msvcp120.dll

Filesize
444KB

MD5
fd5cabbe52272bd76007b68186ebaf00

SHA1
efd1e306c1092c17f6944cc6bf9a1bfad4d14613

SHA256
87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608

SHA512
1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCPreScan\msvcp120.dll

Filesize
444KB

MD5
fd5cabbe52272bd76007b68186ebaf00

SHA1
efd1e306c1092c17f6944cc6bf9a1bfad4d14613

SHA256
87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608

SHA512
1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCPreScan\msvcr120.dll

Filesize
948KB

MD5
034ccadc1c073e4216e9466b720f9849

SHA1
f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

SHA256
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

SHA512
5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCPreScan\msvcr120.dll

Filesize
948KB

MD5
034ccadc1c073e4216e9466b720f9849

SHA1
f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

SHA256
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

SHA512
5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCPreScan\msvcr120.dll

Filesize
948KB

MD5
034ccadc1c073e4216e9466b720f9849

SHA1
f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

SHA256
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

SHA512
5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCPreScan\msvcr120.dll

Filesize
948KB

MD5
034ccadc1c073e4216e9466b720f9849

SHA1
f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

SHA256
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

SHA512
5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCPreScan\utilsdll.dll

Filesize
724KB

MD5
e7676cea57a87868a231a0632fdc9389

SHA1
e2b3a3fad8472593ea890ac1070de0169938a435

SHA256
3bf87f89b67e505fe3809bf47eaba7c93b263ed67d23f8811d18854dc9ec284b

SHA512
ff4dfa38e47043144f9b7d16e2b1443cedb643bf2dee182cda7cbc5035a8a12478051bc2bb2c29f182b43fa36fc7df2f0daff475ebc4c107a0c0b61cda73c5df

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCPreScan\utilsdll.dll

Filesize
724KB

MD5
e7676cea57a87868a231a0632fdc9389

SHA1
e2b3a3fad8472593ea890ac1070de0169938a435

SHA256
3bf87f89b67e505fe3809bf47eaba7c93b263ed67d23f8811d18854dc9ec284b

SHA512
ff4dfa38e47043144f9b7d16e2b1443cedb643bf2dee182cda7cbc5035a8a12478051bc2bb2c29f182b43fa36fc7df2f0daff475ebc4c107a0c0b61cda73c5df

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCPreScan\utilsdll.dll

Filesize
724KB

MD5
e7676cea57a87868a231a0632fdc9389

SHA1
e2b3a3fad8472593ea890ac1070de0169938a435

SHA256
3bf87f89b67e505fe3809bf47eaba7c93b263ed67d23f8811d18854dc9ec284b

SHA512
ff4dfa38e47043144f9b7d16e2b1443cedb643bf2dee182cda7cbc5035a8a12478051bc2bb2c29f182b43fa36fc7df2f0daff475ebc4c107a0c0b61cda73c5df

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCPreScan\vir_sig\cleandb

Filesize
115KB

MD5
377a62ba5b215f65d962efa00e14dd8a

SHA1
a65928b9c92d9850252a082512aaacc440004d1e

SHA256
fc1eaa07ecd50f8813ef147e5bb87d71ccff68de45be5d7d07c152e497ea25de

SHA512
91382f6b469784e942d35ec5b5259d956f808a9fd798e72e5cb764ddc6a14c09a1a9c188741240109844d7bec2adea756cca5abd21ba403d1d585cfa9214255e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCPreScan\vir_sig\mdare_sig

Filesize
10KB

MD5
b314b12e839443c2ebf0e3fd8bedc3d5

SHA1
742a9575bc2f469218c9efc7a7def6bf63dd106e

SHA256
517344ddfcb48f921507b1cf299fcf21f3d4cda34db6fa129617fd9282ec021a

SHA512
c1084ab492c059571d9292bb4c36a9871388dd95af0905b5a6ca6ae033d780add3e124a18335cbf0b6d1060466772bc3cf3a1f6f2aae113a87c0606b717ccbb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCPreScan\vir_sig\vir_ext

Filesize
51.9MB

MD5
5cab41bb137655a107320aa276bb96db

SHA1
852bc051d530f0d7631fe383c559563806babbb1

SHA256
ad3a298b92ccfad0b68ed0a15d5f25fe27c104d07c604fc445ef5a4dfd36172d

SHA512
bf7e75ea42fbaafa0fa0a94fd769b523fadd48963189365c3e2df26a5027864498a9864da456694ad26ae7d45bfbfa8ff44d4d6059b0d3f4299ed1b3bcb923c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCPreScan\vir_sig\vir_ext_flat_sig

Filesize
48.3MB

MD5
618095d1e90f25e31590c0f5732fbbe8

SHA1
894a4ebc1e0d520e5406b70ba04b3ee85de06186

SHA256
3ffd6376c7e2cd6296b2e4297c03cb78fc0bef326b287c2bcf7fb452f78d322c

SHA512
03e30e881499a89942e31aa64a27d1ed6ec12cbe4d7c4b1e7e92285030505859459c7cf8608d527f8fa4096f93fde291f7c7162f9b06e6a7c28859294aae9fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCPreScan\vir_sig\vir_high

Filesize
14.2MB

MD5
36ba04ed7383121d3a0d301297778ab6

SHA1
8628e027f48c06f6eb1faf9e4722af8103b10efa

SHA256
92db23cd19579d3783eb8395e68fb9948510f2cf586b7f87aa34f8cf22d1ed4b

SHA512
661da9d19dc8542a0c30dfbf44a764258ce55af7b38bf9b6407d418c961c3266d6a8d63a53b291b762467e68b1bbf85fcdb43242d09424bff81286e8080146a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCPreScan\vir_sig\vir_high_flat_sig

Filesize
24.7MB

MD5
d70b7d1e5f00a7a3508e88a1004bca50

SHA1
605f695292a13599b7c5e5727c8585253f636584

SHA256
f91467b2468b06535eb2eace59f6e1b0e09220e05e1513362456eef4020be366

SHA512
c9ecb4067ce145b1ba1f81782c2f34b12423afa1dd7d0c9efbc1598329d78aee97f7d8232b4ef47ad34977e24655584bb4fe4631c4d11bc0a6d579fab54df981

Download Submit
C:\Users\Admin\AppData\Local\Temp\FortiClient.msi

Filesize
21.5MB

MD5
7fb8f39af5bcb6e47153876f8cede990

SHA1
a1ffca31bd3a7ce683e731b1b7f35d517c258880

SHA256
7fc5c3bd5d8a17c9d97de3f24c601f3d0ca63ada6544ccef03692b8619dfe22a

SHA512
a306ccb08590de7b376636a4f676fd04dfbf77c9f4b0374d109ac79693afabd5c43b75ef4093fc8124e9c8ad7b9a9da33faee8e86aaf9166a2e7bf0b08649d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\FortiClientOfflineVirusCleaner.exe

Filesize
10.5MB

MD5
171bdebd34d0f2003626b2e286313e84

SHA1
2577491831b1c8c1bc740cb0d74f0d7715b59342

SHA256
82fba7e112494e1c4915d81664a118f8fad1288b993aecbb6feddbc2091537d1

SHA512
fdfd54f344cd532d77fdec5e47460f34edf4c41c6da72256004c2a36d49a74d8d18599e33dc35cee7433bd9e5e439afab1090051cd86be0eafef7489b61b0b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\FortiClientOfflineVirusCleaner.exe

Filesize
10.5MB

MD5
171bdebd34d0f2003626b2e286313e84

SHA1
2577491831b1c8c1bc740cb0d74f0d7715b59342

SHA256
82fba7e112494e1c4915d81664a118f8fad1288b993aecbb6feddbc2091537d1

SHA512
fdfd54f344cd532d77fdec5e47460f34edf4c41c6da72256004c2a36d49a74d8d18599e33dc35cee7433bd9e5e439afab1090051cd86be0eafef7489b61b0b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\FortiClientOfflineVirusCleaner.exe

Filesize
10.5MB

MD5
171bdebd34d0f2003626b2e286313e84

SHA1
2577491831b1c8c1bc740cb0d74f0d7715b59342

SHA256
82fba7e112494e1c4915d81664a118f8fad1288b993aecbb6feddbc2091537d1

SHA512
fdfd54f344cd532d77fdec5e47460f34edf4c41c6da72256004c2a36d49a74d8d18599e33dc35cee7433bd9e5e439afab1090051cd86be0eafef7489b61b0b92

Download Submit
C:\Windows\System32\drivers\mdare64_64.sys

Filesize
102KB

MD5
cba2a73ce497fcd8aa30206e602404e4

SHA1
3186ca5bff278b9f7a931d95bb42bb4ec4f51c7b

SHA256
23a4b1b501fd27d1d9eb5700a4e96ab74e51ed8d71748b6312bfd50ed7b51e53

SHA512
0542e3e0a508c901d865bce3ac11ef67259a9ccfee2e106fa844d48e97839bd942d98307e479d5b425ddb1c6a6cd7426dd33680266e9dd6bb72b7830bb77e17f

Download Submit
memory/900-40-0x0000000000AB0000-0x0000000000BBA000-memory.dmp

Filesize
1.0MB

Download
memory/900-0-0x0000000000AB0000-0x0000000000BBA000-memory.dmp

Filesize
1.0MB

Download
memory/900-81-0x0000000000AB0000-0x0000000000BBA000-memory.dmp

Filesize
1.0MB

Download
memory/900-15-0x0000000000AB0000-0x0000000000BBA000-memory.dmp

Filesize
1.0MB

Download
memory/900-1-0x00000000015A0000-0x00000000015A1000-memory.dmp

Filesize
4KB

Download

pid	process
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660

pid	process
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660

pid	process
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660