Overview

overview

10

Static

static

1

Ref01200122.vbe

windows7-x64

8

Ref01200122.vbe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-09-2024 00:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ref01200122.vbe

  • Size

    11KB

  • MD5

    f2ba7d3b3cdabd02dbcccb1174088b1d

  • SHA1

    dbc02a29b2b042af0b988c698be5be7885e127c1

  • SHA256

    4d89b6fc60ffaa84af321fb2120185994a22605d80d175d71c5780e753d3ec8d

  • SHA512

    876f7a01b9abbaaf7dff88e16a362eafa5ba13b9031c1d6cfef195b426e89c4a287c26d717320886a225d7904aca3635bf3a6a8f2286a5d89bfadb0b330da154

  • SSDEEP

    192:lwZ1ZSTlbLJya3RGALtUtNG7YkGEY9CNsRXX1SAkt0pdzea1iGDcgjK:6rITlbz3L5UtNGWEYCNsRXX1medzL1iZ

Score
10/10
snakekeyloggerdiscoverykeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 7 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 30 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 23 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ref01200122.vbe"
    1⤵
    • Blocklisted process makes network request
    PID:4092
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\nerIVJXTbrPkqwd.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3604
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:212
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3172
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 1456
          4⤵
          • Program crash
          PID:2360
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "212" "2808" "2760" "2812" "0" "0" "2816" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:2464
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1584
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1584" "2680" "2600" "2684" "0" "0" "2688" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:2356
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4848
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1968
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1452
          4⤵
          • Program crash
          PID:2580
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4848" "2816" "2752" "2820" "0" "0" "2824" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:3172
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4536
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4536" "2704" "2632" "2708" "0" "0" "2712" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:2068
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1412
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4656
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1448
          4⤵
          • Program crash
          PID:4296
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1412" "2736" "2680" "2740" "0" "0" "2744" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:4540
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5016
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5080
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4512
          • C:\Windows\SysWOW64\choice.exe
            choice /C Y /N /D Y /T 3
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3804
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5016" "2740" "2676" "2744" "0" "0" "2748" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:3020
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1368
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1368" "2692" "2620" "2696" "0" "0" "2700" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:908
  • C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\StopOptimize.ppsm" /ou ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4852
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3172 -ip 3172
    1⤵
      PID:4388
    • C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\StopOptimize.ppsm" /ou ""
      1⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2516
    • C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\StopOptimize.ppsm" /ou ""
      1⤵
        PID:1412
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1968 -ip 1968
        1⤵
          PID:3144
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4656 -ip 4656
          1⤵
            PID:552
          • C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
            "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\StopOptimize.ppsm" /ou ""
            1⤵
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious use of SetWindowsHookEx
            PID:2452
          • C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
            "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\StopOptimize.ppsm" /ou ""
            1⤵
              PID:3108

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\Microsoft\Windows\WER\Temp\WER436E.tmp.xml
              Filesize

              4KB

              MD5

              9242a6bf0cf18c0427b3bfd92a4be18c

              SHA1

              7180afbc626ac952349260937bf30b10f709e74f

              SHA256

              1c5107b88df8b5b29527fad47b5c8a8afecc704698398398396bd45e235b5a86

              SHA512

              93b31d8a99d027ecd059d421f94dbd29a0518e7746dd345f7dc472481c170783341764b3d8e10e2f547a4a129073dff094364ce6423d4ad77f3155c04deaf433

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
              Filesize

              471B

              MD5

              d11a564f92ffe2d43c35ec2946a29546

              SHA1

              0779c8baa0e1bdf76424db75a71e52cbf22db2fc

              SHA256

              d156b4c63f6fdad0ba2b7f1b71b21764f1cb12f67cc3617a5b541e71af572f86

              SHA512

              14b288fda8320c3938559518b7a7708d1b0fa7fe70cbd3b41977b4bae945ae744cf6cc8685cbf8ec574941b2d5ea3a4fc236afb84f19705dc6650d1e80b12939

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
              Filesize

              412B

              MD5

              60843b02823961c192f0973a0751e219

              SHA1

              e0911af5e79dae7993ff9b7adfeb5063bb525f9c

              SHA256

              c5eb66d9077a95073e43f64b3bd52e384a4bb4dea2a596728ef4682cf178331c

              SHA512

              2c734b786185e18efdcd707403f73e81e1aa1632cacc338fedb57dd03d2a80518c2dd766849d09ce6603133ce0544dcf1fc072a30f05ec52a8426ee4ab725158

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              3KB

              MD5

              3f01549ee3e4c18244797530b588dad9

              SHA1

              3e87863fc06995fe4b741357c68931221d6cc0b9

              SHA256

              36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

              SHA512

              73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Powerpoint.CampaignStates.json
              Filesize

              21B

              MD5

              f1b59332b953b3c99b3c95a44249c0d2

              SHA1

              1b16a2ca32bf8481e18ff8b7365229b598908991

              SHA256

              138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

              SHA512

              3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Powerpoint.GovernedChannelStates.json
              Filesize

              417B

              MD5

              c56ff60fbd601e84edd5a0ff1010d584

              SHA1

              342abb130dabeacde1d8ced806d67a3aef00a749

              SHA256

              200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

              SHA512

              acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Powerpoint.Settings.json
              Filesize

              87B

              MD5

              e4e83f8123e9740b8aa3c3dfa77c1c04

              SHA1

              5281eae96efde7b0e16a1d977f005f0d3bd7aad0

              SHA256

              6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

              SHA512

              bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Powerpoint.SurveyHistoryStats.json
              Filesize

              14B

              MD5

              6ca4960355e4951c72aa5f6364e459d5

              SHA1

              2fd90b4ec32804dff7a41b6e63c8b0a40b592113

              SHA256

              88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

              SHA512

              8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\FDBCAE3A-B7A6-40DD-81A8-1C9F22B0ADBF
              Filesize

              171KB

              MD5

              b9f6edde94a82710e82ca69d540fdd3a

              SHA1

              dd6d4afdf15c8a14cdbd6d64998f4ca6e5d103d0

              SHA256

              7269fdb7e37bfcab6d429d2184812193add1b271a8dd37ec2dc6287d7dbc747f

              SHA512

              70b6f07bb374924ed02af4ce3a5a27464fd6e865413eedd44fb71384e8ed4d9f79c37c4750bc410066cf2c5e79c947be52fccb647f241603e9d71d99a6f296bc

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\powerpnt.exe_Rules.xml
              Filesize

              371KB

              MD5

              2d0ce4a893137f83203f96f02eedf8ea

              SHA1

              55ecd3f7686a2274f223043d5fb60e8742fbf1a0

              SHA256

              1f031a7502d510f3731bb6be8740b8f0414b33e74d37d5b2acfe60fa076d81d8

              SHA512

              d9505304e76f2cb3e145ab37dadfdfe76fe38529d52057d2b0fe93190fe3faba0be020d611d88bac826e6e33f4b27349e89a2be241c11237bb789c46cac79c91

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\powerpnt.exe.db
              Filesize

              24KB

              MD5

              a6064fc9ce640751e063d9af443990da

              SHA1

              367a3a7d57bfb3e9a6ec356dfc411a5f14dfde2a

              SHA256

              5f72c11fd2fa88d8b8bfae1214551f8d5ee07b8895df824fa717ebbcec118a6c

              SHA512

              0e42dd8e341e2334eda1e19e1a344475ed3a0539a21c70ba2247f480c706ab8e2ff6dbeb790614cbde9fb547699b24e69c85c54e99ed77a08fe7e1d1b4b488d0

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\powerpnt.exe.db
              Filesize

              24KB

              MD5

              8665de22b67e46648a5a147c1ed296ca

              SHA1

              b289a96fee9fa77dd8e045ae8fd161debd376f48

              SHA256

              b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f

              SHA512

              bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
              Filesize

              2KB

              MD5

              4a0dd46aaf876ec7041281ed8e5fc06c

              SHA1

              e1c690aa63be25322e9c638f22ef628b2ff557dc

              SHA256

              8f3ef11cd717ba00806c281e1765b15da6c8ef6016689f2769722ba2e1174292

              SHA512

              17580f7e6b7948474815113230c0c1465b9391a4c855d30b7a9b8978f27fdd6e2e04f991e4f0e35e1a0dc1c18716212e4b4c44c7d5cf9b00f59fda4503f33dcd

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
              Filesize

              2KB

              MD5

              4ab74dea56f615e8e28beb2b938952e7

              SHA1

              738ba873981dad41f7cfbe9fb17c0be46804bdd3

              SHA256

              af08c4590a8fe5eed8fdbf7c68dea03f98fe67896caa7689bfbbfb2d09e748fe

              SHA512

              df3a9089cfd2ccf70bcb7cdf1e1f8fc9172705d033a76e14be2982c6845fe75c87886692b6209fdc6c94336323055cb117115beeaeedfe6d6f819806b9380b5a

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\f3df91c436730d7a37c58d5f25d9bf4a56fa3a34.tbres
              Filesize

              4KB

              MD5

              2ebac7a576fdbdaf29a9a6b2252dedac

              SHA1

              6bc6bcdd8312cefc938e4744481d46928dd1b094

              SHA256

              2a2d57ee7c4efeb93f67215d930193b88e4b8b86c61ebcf067524ec6449412f8

              SHA512

              57297f6b038389673b05d0e5e6782addb827c47ff77f2f259558b360ab01aa0a95c07ef2a44692261559aab4fbdd6da71db24ebb99b9190d38ea603a9ffb3890

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
              Filesize

              53KB

              MD5

              a26df49623eff12a70a93f649776dab7

              SHA1

              efb53bd0df3ac34bd119adf8788127ad57e53803

              SHA256

              4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

              SHA512

              e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              104B

              MD5

              ac2dc3163c734c15d71f84a8d4c674d8

              SHA1

              0a5e0e53984169a5b19004e421a34988276d5d3f

              SHA256

              0ebad1502013dba7f50c28738814717332569dc57b10616964b742a040e4b7ab

              SHA512

              4e342d075eea0f1c1e92d349c294c9c8a9ba4ee9813dd81ee677d6bfbb7aa01ade9090e06d67f912a9d23ffb141193379a55bbc1ee720ca5edd520ca83dc226b

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              2KB

              MD5

              02faa0cd260abde139e8d07d3d7bf403

              SHA1

              bbb1678bc3c372461c92e36e53cee8ca25670e71

              SHA256

              f06824cdc7c7b090fd5a9a09a5c3b6a4bcd00ef98cd8cd9aca1de9f7430b3533

              SHA512

              797e4cf65d862d8d7e11323815a17b056cf3b2a71ace863d3bbea5b8ed5bd4f14adebb115c9113aa938385c35994b9e1987b335cd7d50ee891a957a2a5378bf8

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              3KB

              MD5

              0a63fb9e2e5be4f3d6f6773f1e943ea6

              SHA1

              ae5080661363d434506b59867c6a4c85769e975c

              SHA256

              48879713269a49a4eabb60baa26221e3473ed50cfdff11d886fb4f3d2a12b087

              SHA512

              2a66a6e166702ed1c3ecff255d6a0191260e7a3cb7690afc20ebed267398f8f30c827731b29ec3ce3f46e447ea986741e1b17994c2b42c517766f972bf8fa176

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              2KB

              MD5

              6813ceb36d8d1ad4c373225864935d45

              SHA1

              2986e5921959e2e93dd99343af6af569b1c55ebf

              SHA256

              2b4769231d6945a6a4ca018f8c0a15728230217a9078d4ac706b94d54b51cf71

              SHA512

              2bdffb01d87c05f864eead1c76197a79bfedb54185f9ccdf07871ec283342a2fb95e33b74620533e36297834342733f40b4e09d16b5d475f580fcae3944b6ddf

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              3KB

              MD5

              6e809f4c18466a0a63db912fb7a2441c

              SHA1

              d88653e1426406c3175c3fee38d55cd94a1ec5b1

              SHA256

              2a684a0f36716559ec3fef1d5cdcd0fa7d48cd59e40457b7adc4d7b1f9a0c9fa

              SHA512

              b47bb55f42d8930277dcab4d3850aba5b1f40b794f07cf1a0858b7280dc8bab243f445c50d2a45fa183c8f664c4864f476d4565c85380fc10cf45fe53d16100c

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\5847E14.tmp
              Filesize

              81B

              MD5

              25cb9fdae2db2509a50fab99e0b1d704

              SHA1

              217a2f6b39bf3c93202916acd23ba447d4887f59

              SHA256

              593eccb1873aa5ebe0712978be1492115a61e2bea2d119baeef857ac09fd21df

              SHA512

              77950cdf770e4698687312f8e96949dc7d4b24dda2f758fab22a6fce438b51ea84cb62924ab58c402d76f3c0ae98b736e5052b102a9add4bfd488f3fc91b1186

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qxkxrm5q.ywg.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
              Filesize

              252B

              MD5

              fe8c809a1aae7fb8ae8ff6dccb21d7c3

              SHA1

              e886b06370a039f4fe4b8596e836f22124a6af80

              SHA256

              84c14dd26126f393b06fb62438f48baf6358f003ec3100b0840de3fb2d5cabe8

              SHA512

              85dd0f0f240eca5094863374ea2e42145d58aaa08fb2807d4215aee6df2bab4a909dd82138d43585f7043db4f39f0d204d1eb00e7cfabb740944dbde18d62882

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
              Filesize

              504B

              MD5

              76f9e2356d77e9450569350256fc1c00

              SHA1

              cbdb84fc7a8af902d7c48515bb24fd05f19fc536

              SHA256

              3ad06244ec59eabc524d0b5af370d05423ae179c50b66887f9798fb323fa2841

              SHA512

              4073746345113e806cf7eea6446412eedbc589b9e4a246fe751b88df86151a5c4be2e17885365261d09649fb43fb2e1c7c73950bf1a045da06ecb727d09a7d31

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
              Filesize

              756B

              MD5

              2b4499ef082b35ab4620793e76494327

              SHA1

              c7d23dd28d29b14ba9629ef59e634cd0bda3ee12

              SHA256

              6be3012d26fa03a9c49bfbe2e2a3947ac3a216e5dd3ccc4ad8600925c25086db

              SHA512

              3be7bcf5cfe0e782741c2bad5b91824a5a915a27c590502425718db113b380c5c61e05e277082be237cdccc848b1b2e811725c8c8dd1635d046fad45413b1a93

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
              Filesize

              217B

              MD5

              210c8710474b53fe3e1a20da9bd02c12

              SHA1

              8b75fda2edf12800528e6613ab3fbf264cd3f1e5

              SHA256

              1322fc77d783c0c6b31f7a450acbfc268e4101f8acbf8cc4dd4a158c12193c34

              SHA512

              43709cd09cf7f126481255a4d9b704c9acacc9be5b7d54edc08106a389705b0d685f6989a1840694b94c6cb7be53535b679f0d490adfb4786537a504ea7a83ae

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
              Filesize

              6KB

              MD5

              34c9e53ebca7fd728dc0bbc0d887be47

              SHA1

              60010b922082ac3d2dd909b6af4af628dc1540d4

              SHA256

              f861e3281ae1ec9fc3c148fe86112d383cac046927dd3a6b4682b4610ceb292a

              SHA512

              663340ffdc9f52a192c63efc585acc1f56a8a33400f0b6a87c477ee0d070bc8d165a020b3c878d99123dafd713c201366d6495c1845904ad545211b735c301a5

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
              Filesize

              6KB

              MD5

              db5191d24a0e1df23d7525377e91e067

              SHA1

              9634adf7c4fc601d480f2e953eea87f8c689a665

              SHA256

              43244dc960d4b68b58cddeaf7e3326e0bca605e4007bd6f5c861e8e9008c61b8

              SHA512

              ef487dad819034024039913d1b2772938d7fd08ca378dce4350a8f98c4296219996d5ffffee89bd4586076566da7fad52c4df35a0b644a920c47d48c946d5479

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
              Filesize

              6KB

              MD5

              3e916ebe1f1e78ace11400422f7ad52b

              SHA1

              18e7b6f5ffc8730a1fb1d664398e4c344d46ae97

              SHA256

              160c6fbf43951c055c6869cbb1aa2af403e7566c3d1f516f04af6b4e6a8025a5

              SHA512

              8730acc3a39b6331d9e5bd5e3dde6f61a98156b3cc2187cc5c893aa8cd50b0a39d8cd09d8a7813832c16b2612c95a8d75f1df5f1c258dfeb81e228fde0462b2f

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
              Filesize

              6KB

              MD5

              32aed49117fd975ba4458ee2eec789e2

              SHA1

              7844e597456cb74690e3e5ac122d4a0e859cf1ab

              SHA256

              be8ebad9b8847def88d54a4d778b185b12e38105f5c92112749eb2a7c248b20a

              SHA512

              1edf5627a05f0c27f5fb0703b6466d61404c36be4b63fd0967341639f6669d278f6be1e04382b6abc692a78a720a500d16135ecf70563efa875a2fbfef63f4cb

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
              Filesize

              6KB

              MD5

              359943306740fefc0eef657ad3c869d9

              SHA1

              ff7c32b9606ef4cbdb77102c78b483b917e61a76

              SHA256

              b816fb484b74d47739b21d89675af53159fab02fd74def3284c6d5567e47bf65

              SHA512

              a0a8c47d07c5d088f68eba289abc1d463c4334712f3fb552a0bc4a4cebf872cea6952c4b836a2a44537b83acfc44dde74685b86e260c0309c52be63105b8f5ea

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
              Filesize

              6KB

              MD5

              a642c99fc8bd5f28399280658e07ac8e

              SHA1

              0059fed2728ffa1cdfe212c5e70b58a4e0f7973b

              SHA256

              e63ce19d205931b76d887dd9e060ef4f20421286ff97556d5539c17ba0d7f133

              SHA512

              a96113f8e21a940e6113e21babfb007b4fd61606da59fd81019a073c16e123a804be33d9b66ddf2d4ad7c79e504b91230276dfa0bb9e2edba6de2630adb5b488

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
              Filesize

              6KB

              MD5

              bfcebdf9ce156159d02a30b5804f2024

              SHA1

              6aab77c20b1693df6fc6cec4e04df17f390f5888

              SHA256

              ba9b0f742d7d7279d9319ec0a9aff092a2c736064824221817b64aebd3adcf11

              SHA512

              30ac612b8cd8bcf2b9e4717e507a74fe875bdad74f2323d0a1c8ccbcd49b3efc99986ac03a2ac033a24e3024b23bcb0ef128c90ebe8f400a4ca414d04866c0d1

              Download Submit

            • C:\Users\Admin\AppData\Roaming\nerIVJXTbrPkqwd.vbs
              Filesize

              2KB

              MD5

              4ab3e87d9d3e6cf50f9787e2085fa8c7

              SHA1

              5203b0409105410903b2ec612684e1c1d3c5d7c4

              SHA256

              4f42c1f4f7fb9a5813e1710b80f7841b71ee5fff65255dc20f1c8b3eba26574b

              SHA512

              c3999a17ac473ed314a06625bdbca4249198ba9b7e266fefe487d976021c2ca2aa7b58ffa6d89459bb4904713a1c71bcc82e3b70481a28638debc34ddee1c5fd

              Download Submit

            • C:\Users\Admin\Desktop\~$StopOptimize.ppsm
              Filesize

              165B

              MD5

              5ddc860d871aca9286f2a680e63af7e6

              SHA1

              dfa0bc3318667d8da509398a3138888d0ea50446

              SHA256

              1176a0c9b71c5a4992774717d673027786db7e377e3d40a8a0606853e63afeb5

              SHA512

              13b343323e1429e8f87ef14b8162f357c2c82be5927c6eb74caf367e8bba732fbce8f02da3391bafac51e9ec7b382d27ea6ce0959ea08f02079f7ca2705b51e3

              Download Submit

            • memory/212-14-0x000001902D490000-0x000001902D4D4000-memory.dmp

              Filesize

              272KB

              Download

            • memory/212-15-0x000001902D560000-0x000001902D5D6000-memory.dmp

              Filesize

              472KB

              Download

            • memory/212-4-0x000001902CFD0000-0x000001902CFF2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/212-68-0x000001902CFC0000-0x000001902CFCA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/212-70-0x000001902D460000-0x000001902D46A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/1412-127-0x00007FFCB2CF0000-0x00007FFCB2D00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1412-126-0x00007FFCB2CF0000-0x00007FFCB2D00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1412-124-0x00007FFCB2CF0000-0x00007FFCB2D00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1412-125-0x00007FFCB2CF0000-0x00007FFCB2D00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2452-494-0x00007FFCB2CF0000-0x00007FFCB2D00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2452-495-0x00007FFCB2CF0000-0x00007FFCB2D00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2452-493-0x00007FFCB2CF0000-0x00007FFCB2D00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2516-109-0x00007FFCB2CF0000-0x00007FFCB2D00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2516-112-0x00007FFCB2CF0000-0x00007FFCB2D00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2516-121-0x00007FFCB0390000-0x00007FFCB03A0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2516-118-0x00007FFCB0390000-0x00007FFCB03A0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2516-110-0x00007FFCB2CF0000-0x00007FFCB2D00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2516-111-0x00007FFCB2CF0000-0x00007FFCB2D00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2516-108-0x00007FFCB2CF0000-0x00007FFCB2D00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3108-511-0x00007FFCB2CF0000-0x00007FFCB2D00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3108-513-0x00007FFCB2CF0000-0x00007FFCB2D00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3108-499-0x00007FFCB2CF0000-0x00007FFCB2D00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3108-501-0x00007FFCB2CF0000-0x00007FFCB2D00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3108-514-0x00007FFCB2CF0000-0x00007FFCB2D00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3108-512-0x00007FFCB2CF0000-0x00007FFCB2D00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3172-71-0x0000000000D00000-0x0000000000D26000-memory.dmp

              Filesize

              152KB

              Download

            • memory/3172-74-0x0000000005220000-0x00000000052BC000-memory.dmp

              Filesize

              624KB

              Download

            • memory/3172-73-0x00000000056F0000-0x0000000005C94000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/4852-47-0x00007FFCB2CF0000-0x00007FFCB2D00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4852-18-0x00007FFCB2CF0000-0x00007FFCB2D00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4852-17-0x00007FFCB2CF0000-0x00007FFCB2D00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4852-19-0x00007FFCB2CF0000-0x00007FFCB2D00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4852-20-0x00007FFCB2CF0000-0x00007FFCB2D00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4852-16-0x00007FFCB2CF0000-0x00007FFCB2D00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4852-21-0x00007FFCB0390000-0x00007FFCB03A0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4852-22-0x00007FFCB0390000-0x00007FFCB03A0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4852-46-0x00007FFCB2CF0000-0x00007FFCB2D00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4852-49-0x00007FFCB2CF0000-0x00007FFCB2D00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4852-48-0x00007FFCB2CF0000-0x00007FFCB2D00000-memory.dmp

              Filesize

              64KB

              Download