Overview

overview

10

Static

static

1

Ref_0120_0122.vbe

windows7-x64

8

Ref_0120_0122.vbe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-09-2024 14:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ref_0120_0122.vbe

  • Size

    11KB

  • MD5

    f2ba7d3b3cdabd02dbcccb1174088b1d

  • SHA1

    dbc02a29b2b042af0b988c698be5be7885e127c1

  • SHA256

    4d89b6fc60ffaa84af321fb2120185994a22605d80d175d71c5780e753d3ec8d

  • SHA512

    876f7a01b9abbaaf7dff88e16a362eafa5ba13b9031c1d6cfef195b426e89c4a287c26d717320886a225d7904aca3635bf3a6a8f2286a5d89bfadb0b330da154

  • SSDEEP

    192:lwZ1ZSTlbLJya3RGALtUtNG7YkGEY9CNsRXX1SAkt0pdzea1iGDcgjK:6rITlbz3L5UtNGWEYCNsRXX1medzL1iZ

Score
10/10
snakekeyloggerdiscoverykeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 8 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 21 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 14 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ref_0120_0122.vbe"
    1⤵
    • Blocklisted process makes network request
    PID:1100
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\nerIVJXTbrPkqwd.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:828
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:724
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1736
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4248
          • C:\Windows\SysWOW64\choice.exe
            choice /C Y /N /D Y /T 3
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4480
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "724" "2736" "2676" "2740" "0" "0" "2744" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:1988
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1260
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1260" "2684" "2612" "2688" "0" "0" "2692" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:4872
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1644
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1460
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2308
          • C:\Windows\SysWOW64\choice.exe
            choice /C Y /N /D Y /T 3
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2152
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1644" "2604" "2608" "2732" "0" "0" "2736" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:5056
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:536
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "536" "2708" "2636" "2712" "0" "0" "2716" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:4736
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1196
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2644
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4996
          • C:\Windows\SysWOW64\choice.exe
            choice /C Y /N /D Y /T 3
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2404
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1196" "2724" "2624" "2728" "0" "0" "2732" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:1716
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1488
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1488" "2684" "2612" "2688" "0" "0" "2692" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:3056
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1960
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:224
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2228
          • C:\Windows\SysWOW64\choice.exe
            choice /C Y /N /D Y /T 3
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2948
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1960" "2732" "2608" "2736" "0" "0" "2740" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:3512
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3860
  • C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SplitMeasure.mpg"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:5068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    3f01549ee3e4c18244797530b588dad9

    SHA1

    3e87863fc06995fe4b741357c68931221d6cc0b9

    SHA256

    36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

    SHA512

    73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log
    Filesize

    1KB

    MD5

    3668d81576650b0fe5ec94229737504a

    SHA1

    ab4d7a47e6870d67ad9373aaeb2d3c95b4282a15

    SHA256

    9e465fac2511971cffa834b8d51f56cbb65202b68fab3e054b483c46460155c8

    SHA512

    24625f6d057e6c329b7d2b5c689d7cd7fd3c51b35fa83662203255d496ac1b43b7d15c02c6ada5d5f343c9bf9d2efdb56a60e1585a564788b0eea925067c7a4e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    53KB

    MD5

    a26df49623eff12a70a93f649776dab7

    SHA1

    efb53bd0df3ac34bd119adf8788127ad57e53803

    SHA256

    4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

    SHA512

    e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
    Filesize

    3KB

    MD5

    6e809f4c18466a0a63db912fb7a2441c

    SHA1

    d88653e1426406c3175c3fee38d55cd94a1ec5b1

    SHA256

    2a684a0f36716559ec3fef1d5cdcd0fa7d48cd59e40457b7adc4d7b1f9a0c9fa

    SHA512

    b47bb55f42d8930277dcab4d3850aba5b1f40b794f07cf1a0858b7280dc8bab243f445c50d2a45fa183c8f664c4864f476d4565c85380fc10cf45fe53d16100c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
    Filesize

    2KB

    MD5

    2c7f4792e8b9a56d242924a685fe1bd1

    SHA1

    51dd24e93dac61e0de79c2b50f78b4375864ce5a

    SHA256

    7c9f11ccaece88aa07e97e80ed6b8d79fe104e45c2196697a01c56a44043ff26

    SHA512

    187f2d34428019a3c1f9e891f2d61dcf69b9e29fafdd0d1986cd0a52a52b7574d6ae520a4c3d3fd499e9a8b134d0dd9597554e95638b29a7c094c2fbc07933ed

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
    Filesize

    3KB

    MD5

    ff57c6dc89cef64d6e692900b3126eb3

    SHA1

    5eb11288ad21427b2a96702b418c8ad56fee1263

    SHA256

    49455e0a6e85d1eff7ff0770ef08af52a7cd4e7330b5f427cda75d89582b554c

    SHA512

    ad0680a15f70132bc87216b63e160d8db992336705048eafd2638786e861ae47252c57c9dfa8fa918add11d33af42021022d2088abb5a937010ab2672e4ea316

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
    Filesize

    3KB

    MD5

    ea5109da5041b7f705b288834869e9a5

    SHA1

    b38627f07ea5b89d4de45c48c27c2ec63020d770

    SHA256

    6459de7cf4ae5f47609fc4431d7a6b90ed7512f62784b52a1d92732d82c4cf86

    SHA512

    ef4f41ab9657ff06252852003ad6375e389ae71d8815609827b32de55765cb395192ba2d75be4bc4af7021c87f362d6ea92ba178035bdc3bd681b1dd7731b621

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
    Filesize

    292B

    MD5

    6cf521dbbc7bc7def006013fdff35f04

    SHA1

    337034602e9fe4cc8888b598a984ff35371c041b

    SHA256

    18ff206efe499d70ba16f1524ea516f7c77c0c082f6395e709a606e81ff6ac9f

    SHA512

    2abdc3a48c2b03939fd2467c2cc51c7b74f0109d29d6f2cac0cba147cb60e24d4d285a00b4b17b8e67feeeeeec4a8bea999e6a332962f63bfd17873adf6f0ada

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_byomvwww.h5r.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
    Filesize

    252B

    MD5

    fe8c809a1aae7fb8ae8ff6dccb21d7c3

    SHA1

    e886b06370a039f4fe4b8596e836f22124a6af80

    SHA256

    84c14dd26126f393b06fb62438f48baf6358f003ec3100b0840de3fb2d5cabe8

    SHA512

    85dd0f0f240eca5094863374ea2e42145d58aaa08fb2807d4215aee6df2bab4a909dd82138d43585f7043db4f39f0d204d1eb00e7cfabb740944dbde18d62882

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
    Filesize

    504B

    MD5

    76f9e2356d77e9450569350256fc1c00

    SHA1

    cbdb84fc7a8af902d7c48515bb24fd05f19fc536

    SHA256

    3ad06244ec59eabc524d0b5af370d05423ae179c50b66887f9798fb323fa2841

    SHA512

    4073746345113e806cf7eea6446412eedbc589b9e4a246fe751b88df86151a5c4be2e17885365261d09649fb43fb2e1c7c73950bf1a045da06ecb727d09a7d31

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
    Filesize

    756B

    MD5

    2b4499ef082b35ab4620793e76494327

    SHA1

    c7d23dd28d29b14ba9629ef59e634cd0bda3ee12

    SHA256

    6be3012d26fa03a9c49bfbe2e2a3947ac3a216e5dd3ccc4ad8600925c25086db

    SHA512

    3be7bcf5cfe0e782741c2bad5b91824a5a915a27c590502425718db113b380c5c61e05e277082be237cdccc848b1b2e811725c8c8dd1635d046fad45413b1a93

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
    Filesize

    1008B

    MD5

    65b6a9d7742cb4be5f2b8150fdc4b9a3

    SHA1

    65895e46790eaa806644a0c12961679b7b8486a4

    SHA256

    5753f7b2dbe887559813873c16ceece325af1cfb1432d87efe30e7cab4223298

    SHA512

    7a7e8c6d1ff638002fb1adb9fea27e2ff1b53cf86e4242519e5c8878fbc94f13236621e01ea8cbd3d2f7e20ee09499f68a026f63e6358c3d3df3308d7bcd2e3d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    6KB

    MD5

    cc57bb4d60b4052cf8958c66255031aa

    SHA1

    d64d4816583aa29135d5b3483006bd10221d91b7

    SHA256

    325e6ac1c16da7fd02b1bcdb2e69ebf3376eb56e6104c90d09563664e6ca0d09

    SHA512

    3c1583ba8a35ab654d5d8cb1ecd00d6ec70b0fad9f1ebfd6737316ea1d3168d23de20cbea394f2ce5e339ba4fe3ad3b9b847417ce4da7b9a5680747ca36c3ba9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    6KB

    MD5

    428d2d064b643a44044b6e20b331027f

    SHA1

    7557ece7e9dac5f7ad59317043188ed097baafa1

    SHA256

    39a022da55401dd5a6c3692de83f5a93ce1810c5b7675d0cf8043624b724c4f7

    SHA512

    8579f0b94dae27f3c69b4135f09ec8c73a279972a043d9c0d2683e829a7d268565752746a8eec9e2d5ab453c7b5b3cab977a2d23161e9f1250f76812086fde16

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    6KB

    MD5

    6489d16e4a289f1c0e7ab7442d8a3936

    SHA1

    6257adec79b7745e1171d53b62b7d4a4fe02b8dd

    SHA256

    4cc20a0bfe5dbcda9ae756c14be55fcede61277cad42d9f4fd3b1701a4db642c

    SHA512

    207a90eae04b0d27dfb445055d1bcb674d0c14f91a901767f860d5000b6f38276322aa498bf4ed0561371903150b120c6691e064d35a63fe0a8e889d79906821

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    6KB

    MD5

    1b2d4e0ef7e6dcf15734f040e46a0467

    SHA1

    36cd2af6f91243f8b4d857c708635c4b5796e95a

    SHA256

    509d4ec1c7add661ca4ef7f22ae78fcd34b43288f56ebe40607a87c6e1508cc9

    SHA512

    f71c579bd8ebc1d8e533d4b43544a4544496886c38bbc241093226039a9494aeff202fbe16655ac4b93195660944da94baa0eaf0c04ab658f096c91d283bb2d5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    6KB

    MD5

    a5b3d6fc89de76e83c06925352441966

    SHA1

    4737d2ebcbb0baa627472166c7f133bdf40b6662

    SHA256

    19cf25f4ac163a046c670faa0bed0f84ed7252d3d018523de0fbea31d7155ea3

    SHA512

    c5fd8daa5eafb667953a0d203da54acbae4e1dc2b5797f4db3062d8d354a4095fba34c07b46e06a8268db9c541ea088c7224fbd559e5c7117f5d0272ea9cb168

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    6KB

    MD5

    57244198fd42ef36b97782ffdcc260d8

    SHA1

    28ae614e457a21c6c6c1d1469193f60e8eaa2ac5

    SHA256

    6f91c776a805235e93ef252a60309b078838fbd7945a84837bc57de1bb0e708c

    SHA512

    82e5a24465fd7a0434d8e12e2ef7777f3534f1c399f5086ce9d0ef674a200293d413aacddac266f829175262e51c2cc7ea227e185ed6d42d2b23e2ad8b54f4d8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    6KB

    MD5

    35a35fe4a0c1465723ea288317f13f32

    SHA1

    23402d2f039e630d36790fbb5aec17d905d1cb44

    SHA256

    8d157c59cb4a955b62e20b1a7d30c86819f307eacfa06dcfe7e70f57b613306b

    SHA512

    3511115ea3b3dc9e5ee7d9ac7a0795672c6a68925a6a6c58daf82340320e8c1d7cf1ea672c26d5e88dfb1a9aa74d5fa5d87b49aecbc14bd2a8e2f9947ec7fe89

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    6KB

    MD5

    8371833111785ac6c15bbe43f2c8b48b

    SHA1

    1de4413ffe15436c61badf080ef3daa359a38d1c

    SHA256

    a1afed9d768c88da0abcc0cfe42a18c1a4d67b32a8f9b0981d53b5a283f63013

    SHA512

    024c52f4546363eadffed5770025259d75d44aaa7e116b8bf5b339f0cf25a98e043e1fb8ea90f62cd106afbf801e0b986da323f10ab475b8dbc92d108e661327

    Download Submit

  • C:\Users\Admin\AppData\Roaming\nerIVJXTbrPkqwd.vbs
    Filesize

    2KB

    MD5

    4ab3e87d9d3e6cf50f9787e2085fa8c7

    SHA1

    5203b0409105410903b2ec612684e1c1d3c5d7c4

    SHA256

    4f42c1f4f7fb9a5813e1710b80f7841b71ee5fff65255dc20f1c8b3eba26574b

    SHA512

    c3999a17ac473ed314a06625bdbca4249198ba9b7e266fefe487d976021c2ca2aa7b58ffa6d89459bb4904713a1c71bcc82e3b70481a28638debc34ddee1c5fd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.CD5068
    Filesize

    77B

    MD5

    4dcdf4ed381349373736a3039b0b5cff

    SHA1

    96f2f93c7e0fdf084d156cc7b3ffd491bdeb9701

    SHA256

    a30c7d3d49783babecc63a96bea9da356906f9507555c19f9082eee5878f1459

    SHA512

    b8c92f421559235698a0a3b81fcdd899baceac63747dd9936e698ae24d9c217172d629a02191d2898e69d72749bdabcbb3cce0580d500b983c691dfb77877781

    Download Submit

  • C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock
    Filesize

    18B

    MD5

    85e75cd611861d352735d6e79f7b944f

    SHA1

    443e38c54bd6f98f7378e3487f0165cc21fdd0bf

    SHA256

    6e05a59406279e8a6d3f7e82807d7c8d82e6d960970296069aecaf0b12eaef19

    SHA512

    937d02dd8c9a8cbbfd3bf4f76dcb5c3bd8fbf3798ff3347732ce43531934e4280184a514739556d25115a4c4a51d19b85a2d0a462597bbd0a6f32bfceaee62d6

    Download Submit

  • memory/724-52-0x000002165B460000-0x000002165B46A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/724-15-0x0000021675EE0000-0x0000021675F56000-memory.dmp

    Filesize

    472KB

    Download

  • memory/724-53-0x0000021673A00000-0x0000021673A0A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/724-4-0x000002165B400000-0x000002165B422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/724-14-0x0000021673A10000-0x0000021673A54000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1736-54-0x0000000000E10000-0x0000000000E36000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1736-73-0x0000000005890000-0x0000000005E34000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1736-74-0x0000000005380000-0x000000000541C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/5068-26-0x00007FFD8FFF0000-0x00007FFD901FB000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5068-22-0x00007FFD91830000-0x00007FFD91847000-memory.dmp

    Filesize

    92KB

    Download

  • memory/5068-30-0x00007FFD91620000-0x00007FFD91638000-memory.dmp

    Filesize

    96KB

    Download

  • memory/5068-31-0x00007FFD91130000-0x00007FFD91141000-memory.dmp

    Filesize

    68KB

    Download

  • memory/5068-116-0x00007FFD8CC80000-0x00007FFD8DD30000-memory.dmp

    Filesize

    16.7MB

    Download

  • memory/5068-32-0x00007FFD91110000-0x00007FFD91121000-memory.dmp

    Filesize

    68KB

    Download

  • memory/5068-33-0x00007FFD91000000-0x00007FFD91011000-memory.dmp

    Filesize

    68KB

    Download

  • memory/5068-27-0x00007FFD8CC80000-0x00007FFD8DD30000-memory.dmp

    Filesize

    16.7MB

    Download

  • memory/5068-20-0x00007FFDA9C30000-0x00007FFDA9C47000-memory.dmp

    Filesize

    92KB

    Download

  • memory/5068-19-0x00007FFDACB60000-0x00007FFDACB78000-memory.dmp

    Filesize

    96KB

    Download

  • memory/5068-18-0x00007FFD90200000-0x00007FFD904B6000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/5068-107-0x00007FFD90200000-0x00007FFD904B6000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/5068-23-0x00007FFD91810000-0x00007FFD91821000-memory.dmp

    Filesize

    68KB

    Download

  • memory/5068-24-0x00007FFD917B0000-0x00007FFD917CD000-memory.dmp

    Filesize

    116KB

    Download

  • memory/5068-25-0x00007FFD91640000-0x00007FFD91651000-memory.dmp

    Filesize

    68KB

    Download

  • memory/5068-21-0x00007FFDA9AB0000-0x00007FFDA9AC1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/5068-17-0x00007FFD91A40000-0x00007FFD91A74000-memory.dmp

    Filesize

    208KB

    Download

  • memory/5068-16-0x00007FF78B290000-0x00007FF78B388000-memory.dmp

    Filesize

    992KB

    Download

  • memory/5068-87-0x00007FFD8CC80000-0x00007FFD8DD30000-memory.dmp

    Filesize

    16.7MB

    Download

  • memory/5068-29-0x00007FFD91150000-0x00007FFD91171000-memory.dmp

    Filesize

    132KB

    Download

  • memory/5068-28-0x00007FFD91180000-0x00007FFD911C1000-memory.dmp

    Filesize

    260KB

    Download