snakekeylogger | 8bf51ccb2646d38af6778a0712c78415e113b1393509afdc16c97a0bfb91eb55

Analysis

max time kernel
127s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2023 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10243ce788b5dcbbf248058fe196f371.exe
Size

498KB
MD5

10243ce788b5dcbbf248058fe196f371
SHA1

0da95887908b6ada23c698de6cf2f3f986655721
SHA256

8bf51ccb2646d38af6778a0712c78415e113b1393509afdc16c97a0bfb91eb55
SHA512

a990028f8a9b4cce76c2409f95837436d61dc7038d1365d669fd9143f75580e74e4f9f013934435a1ca9e0c1360bbebfe276ea4328ab9d7bd26c6c7c63e83160
SSDEEP

12288:nicNb5chlOMdRL8m6alMG/njrPIRp4tbhknaSJ8XC0x:tqhPRL8m6alMG/njrPIRp496aLXC0

Score

10^/10

snakekeylogger zgrat keylogger rat stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
[email protected]
Password:
Moneymatter@123
Email To:
[email protected]

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral2/memory/4696-127-0x0000000005230000-0x0000000005286000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-131-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-137-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-141-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-143-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-139-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-145-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-135-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-133-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-129-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-128-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-147-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-149-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-153-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-155-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-151-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-157-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-159-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-161-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-163-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-165-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-167-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-169-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-171-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-177-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-179-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-181-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-183-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-175-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-185-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-187-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-173-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-191-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4696-189-0x0000000005230000-0x000000000527F000-memory.dmp	family_zgrat_v1

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/3532-627-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	10243ce788b5dcbbf248058fe196f371.exe

Executes dropped EXE 3 IoCs

pid	Process
1500	aspnet_compiler.exe
2092	aspnet_compiler.exe
3532	aspnet_compiler.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
55	freegeoip.app
52	checkip.dyndns.org
54	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4696 set thread context of 3532	4696	10243ce788b5dcbbf248058fe196f371.exe	114

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
780	3532	WerFault.exe	114

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1432	ipconfig.exe
400	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
3280	powershell.exe
3280	powershell.exe
2320	powershell.exe
2320	powershell.exe
2872	powershell.exe
2872	powershell.exe
3500	powershell.exe
3500	powershell.exe
4896	powershell.exe
4896	powershell.exe
3336	powershell.exe
3336	powershell.exe
3184	powershell.exe
3184	powershell.exe
4696	10243ce788b5dcbbf248058fe196f371.exe
4696	10243ce788b5dcbbf248058fe196f371.exe
4696	10243ce788b5dcbbf248058fe196f371.exe
4696	10243ce788b5dcbbf248058fe196f371.exe
4696	10243ce788b5dcbbf248058fe196f371.exe
4696	10243ce788b5dcbbf248058fe196f371.exe
4696	10243ce788b5dcbbf248058fe196f371.exe
4696	10243ce788b5dcbbf248058fe196f371.exe
4696	10243ce788b5dcbbf248058fe196f371.exe
4696	10243ce788b5dcbbf248058fe196f371.exe
3532	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4696	10243ce788b5dcbbf248058fe196f371.exe
Token: SeDebugPrivilege	3280	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeIncreaseQuotaPrivilege	2320	powershell.exe
Token: SeSecurityPrivilege	2320	powershell.exe
Token: SeTakeOwnershipPrivilege	2320	powershell.exe
Token: SeLoadDriverPrivilege	2320	powershell.exe
Token: SeSystemProfilePrivilege	2320	powershell.exe
Token: SeSystemtimePrivilege	2320	powershell.exe
Token: SeProfSingleProcessPrivilege	2320	powershell.exe
Token: SeIncBasePriorityPrivilege	2320	powershell.exe
Token: SeCreatePagefilePrivilege	2320	powershell.exe
Token: SeBackupPrivilege	2320	powershell.exe
Token: SeRestorePrivilege	2320	powershell.exe
Token: SeShutdownPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeSystemEnvironmentPrivilege	2320	powershell.exe
Token: SeRemoteShutdownPrivilege	2320	powershell.exe
Token: SeUndockPrivilege	2320	powershell.exe
Token: SeManageVolumePrivilege	2320	powershell.exe
Token: 33	2320	powershell.exe
Token: 34	2320	powershell.exe
Token: 35	2320	powershell.exe
Token: 36	2320	powershell.exe
Token: SeIncreaseQuotaPrivilege	2320	powershell.exe
Token: SeSecurityPrivilege	2320	powershell.exe
Token: SeTakeOwnershipPrivilege	2320	powershell.exe
Token: SeLoadDriverPrivilege	2320	powershell.exe
Token: SeSystemProfilePrivilege	2320	powershell.exe
Token: SeSystemtimePrivilege	2320	powershell.exe
Token: SeProfSingleProcessPrivilege	2320	powershell.exe
Token: SeIncBasePriorityPrivilege	2320	powershell.exe
Token: SeCreatePagefilePrivilege	2320	powershell.exe
Token: SeBackupPrivilege	2320	powershell.exe
Token: SeRestorePrivilege	2320	powershell.exe
Token: SeShutdownPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeSystemEnvironmentPrivilege	2320	powershell.exe
Token: SeRemoteShutdownPrivilege	2320	powershell.exe
Token: SeUndockPrivilege	2320	powershell.exe
Token: SeManageVolumePrivilege	2320	powershell.exe
Token: 33	2320	powershell.exe
Token: 34	2320	powershell.exe
Token: 35	2320	powershell.exe
Token: 36	2320	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeIncreaseQuotaPrivilege	2872	powershell.exe
Token: SeSecurityPrivilege	2872	powershell.exe
Token: SeTakeOwnershipPrivilege	2872	powershell.exe
Token: SeLoadDriverPrivilege	2872	powershell.exe
Token: SeSystemProfilePrivilege	2872	powershell.exe
Token: SeSystemtimePrivilege	2872	powershell.exe
Token: SeProfSingleProcessPrivilege	2872	powershell.exe
Token: SeIncBasePriorityPrivilege	2872	powershell.exe
Token: SeCreatePagefilePrivilege	2872	powershell.exe
Token: SeBackupPrivilege	2872	powershell.exe
Token: SeRestorePrivilege	2872	powershell.exe
Token: SeShutdownPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeSystemEnvironmentPrivilege	2872	powershell.exe
Token: SeRemoteShutdownPrivilege	2872	powershell.exe
Token: SeUndockPrivilege	2872	powershell.exe
Token: SeManageVolumePrivilege	2872	powershell.exe
Token: 33	2872	powershell.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 3280	4696	10243ce788b5dcbbf248058fe196f371.exe	91
PID 4696 wrote to memory of 3280	4696	10243ce788b5dcbbf248058fe196f371.exe	91
PID 4696 wrote to memory of 3280	4696	10243ce788b5dcbbf248058fe196f371.exe	91
PID 3280 wrote to memory of 1432	3280	powershell.exe	93
PID 3280 wrote to memory of 1432	3280	powershell.exe	93
PID 3280 wrote to memory of 1432	3280	powershell.exe	93
PID 4696 wrote to memory of 2320	4696	10243ce788b5dcbbf248058fe196f371.exe	94
PID 4696 wrote to memory of 2320	4696	10243ce788b5dcbbf248058fe196f371.exe	94
PID 4696 wrote to memory of 2320	4696	10243ce788b5dcbbf248058fe196f371.exe	94
PID 4696 wrote to memory of 2872	4696	10243ce788b5dcbbf248058fe196f371.exe	97
PID 4696 wrote to memory of 2872	4696	10243ce788b5dcbbf248058fe196f371.exe	97
PID 4696 wrote to memory of 2872	4696	10243ce788b5dcbbf248058fe196f371.exe	97
PID 4696 wrote to memory of 3500	4696	10243ce788b5dcbbf248058fe196f371.exe	99
PID 4696 wrote to memory of 3500	4696	10243ce788b5dcbbf248058fe196f371.exe	99
PID 4696 wrote to memory of 3500	4696	10243ce788b5dcbbf248058fe196f371.exe	99
PID 4696 wrote to memory of 4896	4696	10243ce788b5dcbbf248058fe196f371.exe	103
PID 4696 wrote to memory of 4896	4696	10243ce788b5dcbbf248058fe196f371.exe	103
PID 4696 wrote to memory of 4896	4696	10243ce788b5dcbbf248058fe196f371.exe	103
PID 4696 wrote to memory of 3336	4696	10243ce788b5dcbbf248058fe196f371.exe	105
PID 4696 wrote to memory of 3336	4696	10243ce788b5dcbbf248058fe196f371.exe	105
PID 4696 wrote to memory of 3336	4696	10243ce788b5dcbbf248058fe196f371.exe	105
PID 4696 wrote to memory of 3184	4696	10243ce788b5dcbbf248058fe196f371.exe	106
PID 4696 wrote to memory of 3184	4696	10243ce788b5dcbbf248058fe196f371.exe	106
PID 4696 wrote to memory of 3184	4696	10243ce788b5dcbbf248058fe196f371.exe	106
PID 3184 wrote to memory of 400	3184	powershell.exe	108
PID 3184 wrote to memory of 400	3184	powershell.exe	108
PID 3184 wrote to memory of 400	3184	powershell.exe	108
PID 4696 wrote to memory of 1500	4696	10243ce788b5dcbbf248058fe196f371.exe	112
PID 4696 wrote to memory of 1500	4696	10243ce788b5dcbbf248058fe196f371.exe	112
PID 4696 wrote to memory of 1500	4696	10243ce788b5dcbbf248058fe196f371.exe	112
PID 4696 wrote to memory of 2092	4696	10243ce788b5dcbbf248058fe196f371.exe	113
PID 4696 wrote to memory of 2092	4696	10243ce788b5dcbbf248058fe196f371.exe	113
PID 4696 wrote to memory of 2092	4696	10243ce788b5dcbbf248058fe196f371.exe	113
PID 4696 wrote to memory of 3532	4696	10243ce788b5dcbbf248058fe196f371.exe	114
PID 4696 wrote to memory of 3532	4696	10243ce788b5dcbbf248058fe196f371.exe	114
PID 4696 wrote to memory of 3532	4696	10243ce788b5dcbbf248058fe196f371.exe	114
PID 4696 wrote to memory of 3532	4696	10243ce788b5dcbbf248058fe196f371.exe	114
PID 4696 wrote to memory of 3532	4696	10243ce788b5dcbbf248058fe196f371.exe	114
PID 4696 wrote to memory of 3532	4696	10243ce788b5dcbbf248058fe196f371.exe	114
PID 4696 wrote to memory of 3532	4696	10243ce788b5dcbbf248058fe196f371.exe	114
PID 4696 wrote to memory of 3532	4696	10243ce788b5dcbbf248058fe196f371.exe	114

C:\Users\Admin\AppData\Local\Temp\10243ce788b5dcbbf248058fe196f371.exe
"C:\Users\Admin\AppData\Local\Temp\10243ce788b5dcbbf248058fe196f371.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ipconfig /release
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3280
- - C:\Windows\SysWOW64\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /release
    3⤵
    - Gathers network information
    PID:1432
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3500
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4896
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3336
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ipconfig /renew
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3184
- - C:\Windows\SysWOW64\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /renew
    3⤵
    - Gathers network information
    PID:400
- C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
  C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
  C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
  C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 1796
    3⤵
    - Program crash
    PID:780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3532 -ip 3532
1⤵
PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
9e66e962389a0216a1303cd6a7f6d199

SHA1
2327e0dfa7d8e68478e0723c2d92326e1fa6baf3

SHA256
f3c4fff7118d931358aff24e860335a4ae5713508ce5e3f53cd10f30c6bd16af

SHA512
8e87986828785c898e29a93a18cd2fb14f2146fb8ddf1c516cdf91109d1acfe6a039fecc296016dbd19c71512fc41837f6cdfe7203cc01ee93a2f4223b4deae5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
bad8859cc2adc804deeb708374fc7bbf

SHA1
013926e54b4cabd5509702431d2fb66f13d109d8

SHA256
5c0c8472196d669ced5adda3e8b98352b793bb460be3ce0448d62337be4bdfdd

SHA512
600e1670e7e9680336f393cb378734f5139c5797787c4707aa7a07b248335a9b302ae5a29d4715eae9920d6aa08dc6e07e51486fdb8b7d19ea591f32fbf3f1a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
bbefb0bff16d054751122c3597a3e002

SHA1
6ba7ba4f769c7cee0e80e9b4f73798f56895362f

SHA256
34499c0396c84e981c21492c24a953dcbfd44ad4386182b69de9d312e8a14e26

SHA512
c8dc30228b543593ca666f72aec7eacab69bf15c09d9f94f803a7716be6a4ab78790e09b482acb5edac373b831d46d23e897007298660313daa741b7d7851bb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
70b714c564ebb855905f81b1687f1447

SHA1
b5cdd28c082d39fb8ff273817372ddb02288e190

SHA256
7f6c687d98e9920502ddbadbe8485f87a7f2a10195e266177fa14a18fc76e75a

SHA512
a2ae59964ed1609438a1291a5e5ddbcf55af39bbf01918b18304603a2f995095820ee39cbf798f3d419a711c07519f0708757b3e96fbf7e88c7a026780d9959d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
5751ea1b6b67becfc8eab04ab19edc29

SHA1
80281b0cbfef93da8d2589601c4c097bd87f2394

SHA256
64b3a080f6972ff9a6172db4d24e545ae2de494300f4207e573cd09d9339031b

SHA512
c7e49a75d0c60432903da91d143fea0934f71b49efd7425e6fb3df0bf2a3e9f2af83602e35e17226905ea38d0eaaa99987f77726f00a7c5a0f97c9fd21bf2b0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
484035d605bd9b421ee46edee6df138f

SHA1
3e967b92f9642f2e3d2154024d65fad275481391

SHA256
3921a3b3b1443ba1c72386383a67af090070b3b424ea3f3ccc9a67a03d78bfdd

SHA512
a12080680d7674f6248462a003613a1197846e7c9e0e804ac53fff734d5ff356d5adce4b9685279f57196786813e31c84cce475a1313cd6ffc6d84c0f8c15ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q0bcufgi.z0e.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe

Filesize
55KB

MD5
fda8c8f2a4e100afb14c13dfcbcab2d2

SHA1
19dfd86294c4a525ba21c6af77681b2a9bbecb55

SHA256
99a2c778c9a6486639d0aff1a7d2d494c2b0dc4c7913ebcb7bfea50a2f1d0b09

SHA512
94f0ace37cae77be9935cf4fc8aaa94691343d3b38de5e16c663b902c220bff513cd02256c7af2d815a23dd30439582ddbb0880009c76bbf36ff8fbc1a6ddc18

Download Submit
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe

Filesize
55KB

MD5
fda8c8f2a4e100afb14c13dfcbcab2d2

SHA1
19dfd86294c4a525ba21c6af77681b2a9bbecb55

SHA256
99a2c778c9a6486639d0aff1a7d2d494c2b0dc4c7913ebcb7bfea50a2f1d0b09

SHA512
94f0ace37cae77be9935cf4fc8aaa94691343d3b38de5e16c663b902c220bff513cd02256c7af2d815a23dd30439582ddbb0880009c76bbf36ff8fbc1a6ddc18

Download Submit
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe

Filesize
55KB

MD5
fda8c8f2a4e100afb14c13dfcbcab2d2

SHA1
19dfd86294c4a525ba21c6af77681b2a9bbecb55

SHA256
99a2c778c9a6486639d0aff1a7d2d494c2b0dc4c7913ebcb7bfea50a2f1d0b09

SHA512
94f0ace37cae77be9935cf4fc8aaa94691343d3b38de5e16c663b902c220bff513cd02256c7af2d815a23dd30439582ddbb0880009c76bbf36ff8fbc1a6ddc18

Download Submit
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe

Filesize
55KB

MD5
fda8c8f2a4e100afb14c13dfcbcab2d2

SHA1
19dfd86294c4a525ba21c6af77681b2a9bbecb55

SHA256
99a2c778c9a6486639d0aff1a7d2d494c2b0dc4c7913ebcb7bfea50a2f1d0b09

SHA512
94f0ace37cae77be9935cf4fc8aaa94691343d3b38de5e16c663b902c220bff513cd02256c7af2d815a23dd30439582ddbb0880009c76bbf36ff8fbc1a6ddc18

Download Submit
memory/2320-29-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/2320-46-0x0000000008080000-0x00000000086FA000-memory.dmp

Filesize
6.5MB

Download
memory/2320-44-0x0000000006040000-0x0000000006062000-memory.dmp

Filesize
136KB

Download
memory/2320-43-0x0000000005FF0000-0x000000000600A000-memory.dmp

Filesize
104KB

Download
memory/2320-42-0x0000000006E00000-0x0000000006E96000-memory.dmp

Filesize
600KB

Download
memory/2320-28-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/2320-45-0x0000000007450000-0x00000000079F4000-memory.dmp

Filesize
5.6MB

Download
memory/2320-30-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/2320-48-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/2872-64-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/2872-51-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/2872-57-0x0000000005C20000-0x0000000005F74000-memory.dmp

Filesize
3.3MB

Download
memory/2872-49-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/2872-50-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/3184-112-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-126-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3184-125-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3184-110-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3184-111-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/3280-3-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3280-19-0x0000000005FC0000-0x0000000006314000-memory.dmp

Filesize
3.3MB

Download
memory/3280-24-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/3280-21-0x00000000064E0000-0x000000000652C000-memory.dmp

Filesize
304KB

Download
memory/3280-7-0x00000000054D0000-0x00000000054F2000-memory.dmp

Filesize
136KB

Download
memory/3280-26-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3280-8-0x0000000005DE0000-0x0000000005E46000-memory.dmp

Filesize
408KB

Download
memory/3280-20-0x00000000064A0000-0x00000000064BE000-memory.dmp

Filesize
120KB

Download
memory/3280-14-0x0000000005E50000-0x0000000005EB6000-memory.dmp

Filesize
408KB

Download
memory/3280-6-0x00000000057B0000-0x0000000005DD8000-memory.dmp

Filesize
6.2MB

Download
memory/3280-5-0x0000000002B60000-0x0000000002B96000-memory.dmp

Filesize
216KB

Download
memory/3280-4-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/3336-96-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3336-123-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3336-98-0x0000000005B60000-0x0000000005EB4000-memory.dmp

Filesize
3.3MB

Download
memory/3336-97-0x0000000002870000-0x0000000002880000-memory.dmp

Filesize
64KB

Download
memory/3500-79-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3500-65-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3500-67-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/3500-66-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/3532-627-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3532-629-0x0000000004DA0000-0x0000000004E3C000-memory.dmp

Filesize
624KB

Download
memory/3532-630-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/3532-628-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3532-631-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/4696-145-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-169-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-131-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-137-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-141-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-143-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-139-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-41-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/4696-135-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-133-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-129-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-128-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-147-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-149-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-153-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-155-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-151-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-157-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-159-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-161-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-163-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-165-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-167-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-127-0x0000000005230000-0x0000000005286000-memory.dmp

Filesize
344KB

Download
memory/4696-171-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-177-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-179-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-181-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-183-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-175-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-185-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-187-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-173-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-191-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-189-0x0000000005230000-0x000000000527F000-memory.dmp

Filesize
316KB

Download
memory/4696-616-0x0000000000F20000-0x0000000000F3C000-memory.dmp

Filesize
112KB

Download
memory/4696-23-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/4696-2-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/4696-1-0x00000000007F0000-0x0000000000872000-memory.dmp

Filesize
520KB

Download
memory/4696-0-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/4696-626-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/4896-82-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/4896-81-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/4896-80-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/4896-92-0x0000000005C40000-0x0000000005F94000-memory.dmp

Filesize
3.3MB

Download
memory/4896-95-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download