Overview

overview

10

Static

static

1

4d89b6fc60...8d.vbe

windows7-x64

8

4d89b6fc60...8d.vbe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-09-2024 01:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4d89b6fc60ffaa84af321fb2120185994a22605d80d175d71c5780e753d3ec8d.vbe

  • Size

    11KB

  • MD5

    f2ba7d3b3cdabd02dbcccb1174088b1d

  • SHA1

    dbc02a29b2b042af0b988c698be5be7885e127c1

  • SHA256

    4d89b6fc60ffaa84af321fb2120185994a22605d80d175d71c5780e753d3ec8d

  • SHA512

    876f7a01b9abbaaf7dff88e16a362eafa5ba13b9031c1d6cfef195b426e89c4a287c26d717320886a225d7904aca3635bf3a6a8f2286a5d89bfadb0b330da154

  • SSDEEP

    192:lwZ1ZSTlbLJya3RGALtUtNG7YkGEY9CNsRXX1SAkt0pdzea1iGDcgjK:6rITlbz3L5UtNGWEYCNsRXX1medzL1iZ

Score
10/10
snakekeyloggerdiscoverykeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 8 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 27 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 20 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d89b6fc60ffaa84af321fb2120185994a22605d80d175d71c5780e753d3ec8d.vbe"
    1⤵
    • Blocklisted process makes network request
    PID:920
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\nerIVJXTbrPkqwd.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2612
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1396
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2472
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1936
          • C:\Windows\SysWOW64\choice.exe
            choice /C Y /N /D Y /T 3
            5⤵
            • System Location Discovery: System Language Discovery
            PID:736
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1396" "2712" "2360" "2716" "0" "0" "2720" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:4552
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2076
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:700
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3476
          • C:\Windows\SysWOW64\choice.exe
            choice /C Y /N /D Y /T 3
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3084
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2076" "2744" "2676" "2748" "0" "0" "2752" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:3164
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4076
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4076" "2784" "2712" "2788" "0" "0" "2792" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:1644
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4360
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4784
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1396
          • C:\Windows\SysWOW64\choice.exe
            choice /C Y /N /D Y /T 3
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3336
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4360" "2724" "2660" "2728" "0" "0" "2732" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:2556
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4384
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4384" "2680" "2608" "2684" "0" "0" "2688" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:3972
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4612
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1224
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4828
          • C:\Windows\SysWOW64\choice.exe
            choice /C Y /N /D Y /T 3
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1128
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4612" "2708" "2472" "2736" "0" "0" "2740" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:4164
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2760
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4060
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3540
          • C:\Windows\SysWOW64\choice.exe
            choice /C Y /N /D Y /T 3
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1608
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2760" "2728" "2676" "2732" "0" "0" "2736" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:3888
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3816
  • C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\SavePublish.pptm" /ou ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3320
  • C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\SavePublish.pptm" /ou ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3100
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
      PID:3116

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
      Filesize

      471B

      MD5

      d11a564f92ffe2d43c35ec2946a29546

      SHA1

      0779c8baa0e1bdf76424db75a71e52cbf22db2fc

      SHA256

      d156b4c63f6fdad0ba2b7f1b71b21764f1cb12f67cc3617a5b541e71af572f86

      SHA512

      14b288fda8320c3938559518b7a7708d1b0fa7fe70cbd3b41977b4bae945ae744cf6cc8685cbf8ec574941b2d5ea3a4fc236afb84f19705dc6650d1e80b12939

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
      Filesize

      412B

      MD5

      977ad15958fa88f5b4464260c344e7d6

      SHA1

      460a84eb4c30901f47371595af1cc593915f4a1f

      SHA256

      32aed2e952c28613bc107284f1d438e0c8c4823319805c4ef5e1405e3a91d9d8

      SHA512

      0f7c1ddcc2409ec0f78033e3ba236a3c838321b54d2d5d4d377aaefcce002ad5bfbd207fe3876c2bf2c39ef0a5c73f0aeaa8b9beeca5a791aefea3a6c0524f77

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      9461a7cfb20ff5381df28f51b80c5ef1

      SHA1

      c86c53fca1dcbe307dafbefbb366abf52c9f5eca

      SHA256

      d4af1948337d0deb725f4f2b1fe1a9b60f4519841e28748b11bfd62ccd71e028

      SHA512

      da1e17f67dfebb004ba93d489be504fd7af6d62709ada2581ffa77880baecdaa0015b49d36333d18216d9dc6aad7b0ea2e5bd224d8d3f65ee9b66a05fc45e304

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log
      Filesize

      1KB

      MD5

      3668d81576650b0fe5ec94229737504a

      SHA1

      ab4d7a47e6870d67ad9373aaeb2d3c95b4282a15

      SHA256

      9e465fac2511971cffa834b8d51f56cbb65202b68fab3e054b483c46460155c8

      SHA512

      24625f6d057e6c329b7d2b5c689d7cd7fd3c51b35fa83662203255d496ac1b43b7d15c02c6ada5d5f343c9bf9d2efdb56a60e1585a564788b0eea925067c7a4e

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\EAB21780-A92E-4B18-AAD5-483A1F4FACDE
      Filesize

      171KB

      MD5

      bb9535574b6c7e6b05bcb729c02190be

      SHA1

      6f27b0155d8877db97eed4ca94b71aedf68de28a

      SHA256

      491f2b37e380e932b5c4d3a14a2815042542efcbbe100936e980bca825f0fea3

      SHA512

      101cb8a2d6d8fcb1bf816de44f9f937ebeda163e6bcd99b136c30f54bf66c8d0420ed34779cd96cbe5f4fecc178eaa59ed5c440e072f30c50a5452e5aaf75d22

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\powerpnt.exe_Rules.xml
      Filesize

      799KB

      MD5

      788a73faa1d04c258ece119e48f2c411

      SHA1

      bace77068bdd3e060d3a7c01ccc8ef6d57ef0523

      SHA256

      d7cfdc3b5608d5db5e41cc8703a1b01f9fec31d62aa39fc39bb2e0dffe4e3391

      SHA512

      b2cdd0185f90ea3981a5f47881b90705dcef11eb690e7aeea8236ac5a877821763e146755bbdca30d7d452b963b0716450f8b14b2ad63b3900e05ef219c9b312

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\powerpnt.exe.db
      Filesize

      104KB

      MD5

      d0600aaea8b1a614045903d726acfcf8

      SHA1

      b5bfbe6ab42f60f072f86bd502d114fd2574844d

      SHA256

      b50d1ca708437baa22d47948d5630b10c5d495b4b6b81550ca4e7a4cdb55181a

      SHA512

      33cfe6d733eb67c1f12af5207c758b978dfc35f99bda00bb344875b35c810e2bba86e9a9a142021e719cf9555131f20abfa4fd045f5704ac43365012ab1eea45

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
      Filesize

      2KB

      MD5

      9997302bdf81bb40fa6014e3de4628b9

      SHA1

      f537a056727f70fd5592b8a46b2700e4baa7b948

      SHA256

      586928a533194f4663e25fa2a88b216ca185e78783fe8b3d16e62861a9e6bfba

      SHA512

      9feee4ff1b4a20d30cde9be0123c04e50b29507c008575fd893603e251ffdb511dd761a4da396063b62cc98b932b77c43dfa628619435c6b016c425cd3773c79

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\f3df91c436730d7a37c58d5f25d9bf4a56fa3a34.tbres
      Filesize

      4KB

      MD5

      e69e5f7854eb91b4b5a434335b3ab493

      SHA1

      e498cf9fcd327bd3fe31e30ba93616b82010f3ab

      SHA256

      dd840fa2e008580fecf14658c2e6939adf4495e64172d81d2a5602d13157099a

      SHA512

      82adca08c26b5f710f76765f6d0b9c2c029656db0b5ee009d9b7ab384564168fdc1d1504b54088703b18da384f25e546b04fde2a13ac348e0a573629b478dc0c

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
      Filesize

      53KB

      MD5

      a26df49623eff12a70a93f649776dab7

      SHA1

      efb53bd0df3ac34bd119adf8788127ad57e53803

      SHA256

      4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

      SHA512

      e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      536B

      MD5

      7c5af3b710b794c6f8433daf63f0f41a

      SHA1

      99f84b3af345384e3d29c480c8dcf862fef5aa88

      SHA256

      fff0f26b6413417471621eaebcc710d17d67bf27d7e2a116a025438d9537bacc

      SHA512

      f349e0f7709e968e657863dc871da890b60d05cb6f33b5ec8c4252cd979ca1fe0bfb51a07eab85cb99e80da6feaa21e5629a2de64fc856edbf4b913b4255075a

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      2KB

      MD5

      a00e197ecab702e85c5e78d9b14b03eb

      SHA1

      1ebef1868011969ed5ce4f5e62a3e27bbf855910

      SHA256

      a2ce25bf9cb29d07e74fd896129838a730a7976bb1bc4532a8dc4f7c8b14b1e7

      SHA512

      f60daba59036565c96dfc8e52e1e6d5e9b72823882e78225e95a6ea83fe9ae43fd39c82827b8d30ab3a35a3847b6ea992578dee29b99cae697511d658da2fb78

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      2KB

      MD5

      982b65dd63631d61b9c750526295e3de

      SHA1

      4406cd4da8740eae8c7d88dcc01dea884815f5c0

      SHA256

      e3ee56082b6376704b67e1b16771919b5c4a7979e53729e98dece9cf26cd0d51

      SHA512

      562943756a3b7965ebab697e67ceccbcbbf394054b310fed47e01daf10f8fb53c5dc9b3dacee3279b405517248fb4145311ece83e9b212d9b4160fbdf63098d0

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      3KB

      MD5

      a7b92abf3ce1e0db36df0c34f1374bbe

      SHA1

      9f2803cbc151dffbcc014d21cf8a9107d4b6bc36

      SHA256

      71bbc8263c41c81bd27742c939a8d5808965d1ed267c06d48f284da3c90481fe

      SHA512

      ad710230dea73efd3b7a7da4e8cbaffc48d13de398fe33ccd789d402849ad311d6660078d4670a87483e5e8c12aa18506fcc52a14d9cfd3c94aa9c379cf37d5f

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      3KB

      MD5

      04049ceb01c911ff2efdbb1919f20123

      SHA1

      2ca8cb5ba7980d47e98276819f1225c52a4af0f8

      SHA256

      7da162387a7e9dd203fcf474134dd9d8469b05bdea809ef79c646d5b5c898abf

      SHA512

      cf6dfc96f45bcd6218a14f821d0a7f239454f193baf0a7f45dab2400da6752eab08d90f047aa5ddf2f1f63f6dc0da9656f742c91dbfe9144574cb4d084f19012

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      3KB

      MD5

      0fa890bcc24627b309591f8d2a692028

      SHA1

      edba7cfb6fee6860c862d4b384a03cdebe535ee4

      SHA256

      48b7a3f9b77f9ca8c6e20c9a35dfc8068ad8006f43e6e94c2c46fdb9c35c15c5

      SHA512

      a34380e2422782a3bab9842424dc41005e4878f735b2aa5d9aa80cbb1a6d4901c50f4022a70fe5232e5e6e9c35f11d6df62908a1b2d1e6a9aa531510430260ac

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lme0uav5.tfj.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
      Filesize

      504B

      MD5

      76f9e2356d77e9450569350256fc1c00

      SHA1

      cbdb84fc7a8af902d7c48515bb24fd05f19fc536

      SHA256

      3ad06244ec59eabc524d0b5af370d05423ae179c50b66887f9798fb323fa2841

      SHA512

      4073746345113e806cf7eea6446412eedbc589b9e4a246fe751b88df86151a5c4be2e17885365261d09649fb43fb2e1c7c73950bf1a045da06ecb727d09a7d31

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
      Filesize

      756B

      MD5

      2b4499ef082b35ab4620793e76494327

      SHA1

      c7d23dd28d29b14ba9629ef59e634cd0bda3ee12

      SHA256

      6be3012d26fa03a9c49bfbe2e2a3947ac3a216e5dd3ccc4ad8600925c25086db

      SHA512

      3be7bcf5cfe0e782741c2bad5b91824a5a915a27c590502425718db113b380c5c61e05e277082be237cdccc848b1b2e811725c8c8dd1635d046fad45413b1a93

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
      Filesize

      1008B

      MD5

      65b6a9d7742cb4be5f2b8150fdc4b9a3

      SHA1

      65895e46790eaa806644a0c12961679b7b8486a4

      SHA256

      5753f7b2dbe887559813873c16ceece325af1cfb1432d87efe30e7cab4223298

      SHA512

      7a7e8c6d1ff638002fb1adb9fea27e2ff1b53cf86e4242519e5c8878fbc94f13236621e01ea8cbd3d2f7e20ee09499f68a026f63e6358c3d3df3308d7bcd2e3d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
      Filesize

      1KB

      MD5

      d4e42987baff2a23406a3dcd5b9613fe

      SHA1

      c2aa6e23870a03ef16db6a05abdc959f7d191f28

      SHA256

      da14c73551a8d3b3fa0ccb4beefbf0207b92253e7ad4c71e0649bed0a6934649

      SHA512

      85b935aa517bad146f10c1b9f5a714c4642435705f7b18333753c21e5851b321eea5a96a3233bf374bbe1255324dbea0d4933ecfef3b06c5f7cea6e18d718bb9

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
      Filesize

      252B

      MD5

      fe8c809a1aae7fb8ae8ff6dccb21d7c3

      SHA1

      e886b06370a039f4fe4b8596e836f22124a6af80

      SHA256

      84c14dd26126f393b06fb62438f48baf6358f003ec3100b0840de3fb2d5cabe8

      SHA512

      85dd0f0f240eca5094863374ea2e42145d58aaa08fb2807d4215aee6df2bab4a909dd82138d43585f7043db4f39f0d204d1eb00e7cfabb740944dbde18d62882

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      6KB

      MD5

      670a7d66c206320af01ff6afed0769d6

      SHA1

      67e9c6b4318bda6051461f8e855c3082cd3c4aaf

      SHA256

      4aaf09e9c2f8c5d6c0e8020eb66ffd9df0ec28cf5b4ebee9541f5bbd63164db2

      SHA512

      ab19f9bb8e7457a1d76e85ae1a5934ce91f8733ad4198255abbf6762e7cd054d7d8618e57a08bb7fd5297be9ebd5908598a80b235c7d01e1804fc978da471409

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      6KB

      MD5

      9d77fbf4d5cc7343b38a554c1e05453e

      SHA1

      e240015cd651e75d6b656929a2e54a936788f7f8

      SHA256

      a1257bde9239e114bd510b99859c0c557b26c47c34ff8824c5026187cbdf6dad

      SHA512

      f8a75ff2faca1ff32e5a940c915a6b789d8ebc1e7b73d9e97557b4dc46fc39dc0b79fbef1d21a455cdea9fa3ffc957f255961a62777004a15b9e930ff2e84e21

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      6KB

      MD5

      23848e800e7e0e2e5c85d99a5e2f1439

      SHA1

      130a0ea10cb52ba9403d48dada5da5b85ed12c22

      SHA256

      586def21a21cc8e1c5b20c59747c8f98180ddd8bc5143c6799c93e7d92693c27

      SHA512

      fc06bc6e476075bee0f2147c7c376ff9aba7d7278b5a9f1eb43096e6f52af7dd272d8e5de79d21c29a23c426b753ffdb1402b6f3dc5f51f978f4def68ba7295e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      6KB

      MD5

      d5340254a43c017635c3333fc323fba6

      SHA1

      8c7943a19d5cfe180bb72fcce9ff78be53b40f13

      SHA256

      1da3d2a0895ef9144d1739c9c1129d4bf9c6b39ceb19d6efef5a323977254b41

      SHA512

      54f742fc59a4908bd34503baee406cc999efa94edf71269f51ab75db4a252e19039b52b75a3a4ad13ece24dcb83413a36da11a8743238594814818d647340f55

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      6KB

      MD5

      d4f163c3f35c5ebf9d1bcb911a049645

      SHA1

      5d595c53cd086045ea58effb1de905bfb1633aac

      SHA256

      21839864c1d0671e13b3c7a08855ab1d05c1ea088ca2360ac7de8592c332b990

      SHA512

      2586199ba1107939e97c7295e42b9d4816a6a0fa3bd7208a2a03a90732261520eb260876c1951bef926a352a05a66e275415a61119171aaed21ca8ca711bdcf1

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      6KB

      MD5

      55a18bfa99bb344c8fe480d1722e3451

      SHA1

      3808db16a70169e1af025446755b1b3a9acc5f93

      SHA256

      e131a98bc2e10225cb97b526c73985141b411237ff8ab12dfc44c662b36ec236

      SHA512

      c60bf1142536d2a3d12c6710cfdb4f61aae0459e4de71d7049671219de680c0ddf390cd1aa347ee5c4243a9eac169a1cd6905c407327a25fc0fd833589b20a8c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      6KB

      MD5

      e50ff3625868cf2a8d38fe26f4d72464

      SHA1

      19416512da5874fcd6b212fcc2b228a9d09a9230

      SHA256

      ddcee4c67161ff8da552c364ccc5af75c28471bbc076412553acf4dba175664c

      SHA512

      3094566742a6e50e62287424664b3111087028484d18e56b8ed2e382b9611744c8704a1d1b33b5f1fe64c7875c4e372dc221e0548475b2eef57c5a5a77bade3f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      6KB

      MD5

      29b28d915de2aef4cfdb0724c21ae7be

      SHA1

      141aa746f77887ac2b74ca404329aa5e1e9047d9

      SHA256

      0ef2c56c0c88f618504c5750b68b636daab8e479fab611ad583ba580634210fb

      SHA512

      f9944fecff847c66597ebf05121d9af2b1c95a1d90b7c2a9b43b66337dc03ec4622b9b61b6918341de26be5a2581ec8d753a14d490ffb4c2f37918c8a93637fe

      Download Submit

    • C:\Users\Admin\AppData\Roaming\nerIVJXTbrPkqwd.vbs
      Filesize

      2KB

      MD5

      4ab3e87d9d3e6cf50f9787e2085fa8c7

      SHA1

      5203b0409105410903b2ec612684e1c1d3c5d7c4

      SHA256

      4f42c1f4f7fb9a5813e1710b80f7841b71ee5fff65255dc20f1c8b3eba26574b

      SHA512

      c3999a17ac473ed314a06625bdbca4249198ba9b7e266fefe487d976021c2ca2aa7b58ffa6d89459bb4904713a1c71bcc82e3b70481a28638debc34ddee1c5fd

      Download Submit

    • memory/1396-18-0x0000027973030000-0x000002797303A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1396-13-0x0000027972090000-0x00000279720B2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1396-14-0x0000027973050000-0x0000027973094000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1396-15-0x0000027973120000-0x0000027973196000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1396-17-0x0000027973020000-0x000002797302A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2472-29-0x0000000005D60000-0x0000000006304000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2472-30-0x00000000057B0000-0x000000000584C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2472-19-0x0000000001140000-0x0000000001166000-memory.dmp

      Filesize

      152KB

      Download

    • memory/3100-167-0x00007FF7F80B0000-0x00007FF7F80C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3100-165-0x00007FF7F80B0000-0x00007FF7F80C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3100-141-0x00007FF7F80B0000-0x00007FF7F80C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3100-139-0x00007FF7F80B0000-0x00007FF7F80C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3100-140-0x00007FF7F80B0000-0x00007FF7F80C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3100-138-0x00007FF7F80B0000-0x00007FF7F80C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3100-166-0x00007FF7F80B0000-0x00007FF7F80C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3100-142-0x00007FF7F80B0000-0x00007FF7F80C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3100-168-0x00007FF7F80B0000-0x00007FF7F80C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3320-82-0x00007FF7F80B0000-0x00007FF7F80C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3320-83-0x00007FF7F80B0000-0x00007FF7F80C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3320-80-0x00007FF7F80B0000-0x00007FF7F80C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3320-81-0x00007FF7F80B0000-0x00007FF7F80C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3320-56-0x00007FF7F5AE0000-0x00007FF7F5AF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3320-55-0x00007FF7F5AE0000-0x00007FF7F5AF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3320-53-0x00007FF7F80B0000-0x00007FF7F80C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3320-54-0x00007FF7F80B0000-0x00007FF7F80C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3320-52-0x00007FF7F80B0000-0x00007FF7F80C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3320-51-0x00007FF7F80B0000-0x00007FF7F80C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3320-50-0x00007FF7F80B0000-0x00007FF7F80C0000-memory.dmp

      Filesize

      64KB

      Download