Overview

overview

7

Static

static

7

IDM Trial Reset.exe

windows11-21h2-x64

7

out.exe

windows11-21h2-x64

3

Analysis

  • max time kernel
    88s
  • max time network
    78s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    11/08/2024, 11:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IDM Trial Reset.exe

  • Size

    874KB

  • MD5

    064f82094ae6a6e22c28a6f1ef868a26

  • SHA1

    e034cf1fa855eef53fd46a5ec213ada99e2ece19

  • SHA256

    a2d2b22cd0d5628976eb5996a8b20f3b5ac468907910dbc3f826f1069d435587

  • SHA512

    7fced0980ada793abe81337911d00d6e351ba1e9ce7c6193c9f4af29c1cf210f18240071d33edb237d752dbb7732de205c1d49530ae7bf8aecd2b3147edd3afe

  • SSDEEP

    12288:fozGdX0M4ornOmZIzfMwHHQmRROXKFHhFjvVAcJlbqm9is3MjNindDO4FVALS/Bt:f4GHnhIzOarrVuy8jadVFZIV7Um5iJ

Score
7/10
discoverypersistenceupx

Malware Config

Signatures

  • Executes dropped EXE 64 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • AutoIT Executable 5 IoCs

    AutoIT scripts compiled to PE executables.

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 12 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 25 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\IDM Trial Reset.exe
    "C:\Users\Admin\AppData\Local\Temp\IDM Trial Reset.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3532
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query hkcr\clsid /s > C:\Users\Admin\AppData\Local\Temp\reg_query.tmp
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Windows\SysWOW64\reg.exe
        reg query hkcr\clsid /s
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3060
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c findstr /N /I cDTvBFquXk0 C:\Users\Admin\AppData\Local\Temp\reg_query.tmp
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1784
      • C:\Windows\SysWOW64\findstr.exe
        findstr /N /I cDTvBFquXk0 C:\Users\Admin\AppData\Local\Temp\reg_query.tmp
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2256
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c findstr /N . C:\Users\Admin\AppData\Local\Temp\reg_query.tmp | findstr /b -1:
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:236
      • C:\Windows\SysWOW64\findstr.exe
        findstr /N . C:\Users\Admin\AppData\Local\Temp\reg_query.tmp
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4108
      • C:\Windows\SysWOW64\findstr.exe
        findstr /b -1:
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3044
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192} -ot reg -actn setowner -ownr "n:S-1-1-0" -silent
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2472
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192} -ot reg -actn setowner -ownr "n:S-1-1-0" -silent
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2080
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192} -ot reg -actn setowner -ownr "n:S-1-1-0" -silent
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1692
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192} -ot reg -actn setowner -ownr "n:S-1-1-0" -silent
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4340
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC} -ot reg -actn setowner -ownr "n:S-1-1-0" -silent
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:876
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC} -ot reg -actn setowner -ownr "n:S-1-1-0" -silent
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2464
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC} -ot reg -actn setowner -ownr "n:S-1-1-0" -silent
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:576
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC} -ot reg -actn setowner -ownr "n:S-1-1-0" -silent
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3520
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671} -ot reg -actn setowner -ownr "n:S-1-1-0" -silent
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1556
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671} -ot reg -actn setowner -ownr "n:S-1-1-0" -silent
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1732
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671} -ot reg -actn setowner -ownr "n:S-1-1-0" -silent
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1476
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671} -ot reg -actn setowner -ownr "n:S-1-1-0" -silent
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1488
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C} -ot reg -actn setowner -ownr "n:S-1-1-0" -silent
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3632
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C} -ot reg -actn setowner -ownr "n:S-1-1-0" -silent
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:996
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C} -ot reg -actn setowner -ownr "n:S-1-1-0" -silent
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1344
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C} -ot reg -actn setowner -ownr "n:S-1-1-0" -silent
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4376
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7} -ot reg -actn setowner -ownr "n:S-1-1-0" -silent
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:240
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7} -ot reg -actn setowner -ownr "n:S-1-1-0" -silent
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1116
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7} -ot reg -actn setowner -ownr "n:S-1-1-0" -silent
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1028
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7} -ot reg -actn setowner -ownr "n:S-1-1-0" -silent
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4764
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192} -ot reg -actn ace -ace "n:everyone;p:full" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1804
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192} -ot reg -actn ace -ace "n:everyone;p:full" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
      2⤵
      • Executes dropped EXE
      PID:4060
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192} -ot reg -actn ace -ace "n:everyone;p:full" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
      2⤵
      • Executes dropped EXE
      PID:4984
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192} -ot reg -actn ace -ace "n:everyone;p:full" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
      2⤵
      • Executes dropped EXE
      PID:816
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC} -ot reg -actn ace -ace "n:everyone;p:full" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
      2⤵
      • Executes dropped EXE
      PID:5020
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC} -ot reg -actn ace -ace "n:everyone;p:full" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
      2⤵
      • Executes dropped EXE
      PID:4856
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC} -ot reg -actn ace -ace "n:everyone;p:full" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
      2⤵
      • Executes dropped EXE
      PID:660
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC} -ot reg -actn ace -ace "n:everyone;p:full" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
      2⤵
      • Executes dropped EXE
      PID:672
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671} -ot reg -actn ace -ace "n:everyone;p:full" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
      2⤵
      • Executes dropped EXE
      PID:1780
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671} -ot reg -actn ace -ace "n:everyone;p:full" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
      2⤵
      • Executes dropped EXE
      PID:4748
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671} -ot reg -actn ace -ace "n:everyone;p:full" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
      2⤵
      • Executes dropped EXE
      PID:2516
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671} -ot reg -actn ace -ace "n:everyone;p:full" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
      2⤵
      • Executes dropped EXE
      PID:4692
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C} -ot reg -actn ace -ace "n:everyone;p:full" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
      2⤵
      • Executes dropped EXE
      PID:1464
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C} -ot reg -actn ace -ace "n:everyone;p:full" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
      2⤵
      • Executes dropped EXE
      PID:5044
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C} -ot reg -actn ace -ace "n:everyone;p:full" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
      2⤵
      • Executes dropped EXE
      PID:1488
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C} -ot reg -actn ace -ace "n:everyone;p:full" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
      2⤵
      • Executes dropped EXE
      PID:3632
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7} -ot reg -actn ace -ace "n:everyone;p:full" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
      2⤵
      • Executes dropped EXE
      PID:5112
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7} -ot reg -actn ace -ace "n:everyone;p:full" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
      2⤵
      • Executes dropped EXE
      PID:4392
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7} -ot reg -actn ace -ace "n:everyone;p:full" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
      2⤵
      • Executes dropped EXE
      PID:2692
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7} -ot reg -actn ace -ace "n:everyone;p:full" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
      2⤵
      • Executes dropped EXE
      PID:4852
    • C:\Windows\SysWOW64\reg.exe
      reg import "C:\Users\Admin\AppData\Local\Temp\idm_reset.reg"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1116
    • C:\Windows\SysWOW64\reg.exe
      reg import "C:\Users\Admin\AppData\Local\Temp\idm_trial.reg"
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:4388
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192} -ot reg -actn ace -ace "n:everyone;p:read" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
      2⤵
      • Executes dropped EXE
      PID:668
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192} -ot reg -actn ace -ace "n:everyone;p:read" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
      2⤵
      • Executes dropped EXE
      PID:3844
    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192} -ot reg -actn ace -ace "n:everyone;p:read" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
      2⤵
      • Executes dropped EXE
      PID:2472
      • C:\Windows\System32\Conhost.exe
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        3⤵
          PID:4060
      • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
        "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192} -ot reg -actn ace -ace "n:everyone;p:read" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
        2⤵
        • Executes dropped EXE
        PID:3768
        • C:\Windows\System32\Conhost.exe
          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          3⤵
            PID:4984
        • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
          "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC} -ot reg -actn ace -ace "n:everyone;p:read" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
          2⤵
          • Executes dropped EXE
          PID:2068
        • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
          "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC} -ot reg -actn ace -ace "n:everyone;p:read" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
          2⤵
          • Executes dropped EXE
          PID:3360
        • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
          "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC} -ot reg -actn ace -ace "n:everyone;p:read" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
          2⤵
          • Executes dropped EXE
          PID:3924
        • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
          "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC} -ot reg -actn ace -ace "n:everyone;p:read" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
          2⤵
          • Executes dropped EXE
          PID:4340
        • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
          "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671} -ot reg -actn ace -ace "n:everyone;p:read" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
          2⤵
          • Executes dropped EXE
          PID:588
          • C:\Windows\System32\Conhost.exe
            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            3⤵
              PID:2464
          • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
            "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671} -ot reg -actn ace -ace "n:everyone;p:read" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
            2⤵
            • Executes dropped EXE
            PID:4916
          • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
            "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671} -ot reg -actn ace -ace "n:everyone;p:read" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
            2⤵
            • Executes dropped EXE
            PID:920
          • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
            "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671} -ot reg -actn ace -ace "n:everyone;p:read" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
            2⤵
            • Executes dropped EXE
            PID:4728
            • C:\Windows\System32\Conhost.exe
              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              3⤵
                PID:1780
            • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
              "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C} -ot reg -actn ace -ace "n:everyone;p:read" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
              2⤵
              • Executes dropped EXE
              PID:2724
            • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
              "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C} -ot reg -actn ace -ace "n:everyone;p:read" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
              2⤵
              • Executes dropped EXE
              • Modifies registry class
              PID:1732
            • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
              "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C} -ot reg -actn ace -ace "n:everyone;p:read" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
              2⤵
              • Executes dropped EXE
              PID:3596
            • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
              "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C} -ot reg -actn ace -ace "n:everyone;p:read" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
              2⤵
              • Executes dropped EXE
              • Modifies registry class
              PID:1040
            • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
              "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7} -ot reg -actn ace -ace "n:everyone;p:read" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
              2⤵
              • Executes dropped EXE
              PID:4152
            • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
              "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7} -ot reg -actn ace -ace "n:everyone;p:read" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
              2⤵
              • Executes dropped EXE
              PID:4776
            • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
              "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7} -ot reg -actn ace -ace "n:everyone;p:read" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
              2⤵
              • Executes dropped EXE
              PID:3632
            • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
              "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7} -ot reg -actn ace -ace "n:everyone;p:read" -actn setprot -op "dacl:p_nc;sacl:p_nc" -silent
              2⤵
              • Executes dropped EXE
              PID:3256
            • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
              "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192} -ot reg -actn setowner -ownr "n:S-1-0-0" -silent
              2⤵
              • Executes dropped EXE
              PID:4948
            • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
              "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192} -ot reg -actn setowner -ownr "n:S-1-0-0" -silent
              2⤵
              • Executes dropped EXE
              PID:3424
            • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
              "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192} -ot reg -actn setowner -ownr "n:S-1-0-0" -silent
              2⤵
              • Executes dropped EXE
              PID:4080
            • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
              "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192} -ot reg -actn setowner -ownr "n:S-1-0-0" -silent
              2⤵
              • Executes dropped EXE
              PID:2124
              • C:\Windows\System32\Conhost.exe
                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                3⤵
                  PID:1784
              • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
                "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC} -ot reg -actn setowner -ownr "n:S-1-0-0" -silent
                2⤵
                  PID:1636
                • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
                  "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC} -ot reg -actn setowner -ownr "n:S-1-0-0" -silent
                  2⤵
                    PID:668
                  • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
                    "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC} -ot reg -actn setowner -ownr "n:S-1-0-0" -silent
                    2⤵
                      PID:1804
                    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
                      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC} -ot reg -actn setowner -ownr "n:S-1-0-0" -silent
                      2⤵
                        PID:1888
                      • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
                        "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671} -ot reg -actn setowner -ownr "n:S-1-0-0" -silent
                        2⤵
                          PID:724
                        • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
                          "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671} -ot reg -actn setowner -ownr "n:S-1-0-0" -silent
                          2⤵
                            PID:340
                            • C:\Windows\System32\Conhost.exe
                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              3⤵
                                PID:2068
                            • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
                              "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671} -ot reg -actn setowner -ownr "n:S-1-0-0" -silent
                              2⤵
                                PID:4012
                              • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
                                "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671} -ot reg -actn setowner -ownr "n:S-1-0-0" -silent
                                2⤵
                                  PID:572
                                • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
                                  "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C} -ot reg -actn setowner -ownr "n:S-1-0-0" -silent
                                  2⤵
                                    PID:1016
                                  • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
                                    "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C} -ot reg -actn setowner -ownr "n:S-1-0-0" -silent
                                    2⤵
                                    • Modifies registry class
                                    PID:1440
                                    • C:\Windows\System32\Conhost.exe
                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      3⤵
                                        PID:876
                                    • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
                                      "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C} -ot reg -actn setowner -ownr "n:S-1-0-0" -silent
                                      2⤵
                                        PID:576
                                      • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
                                        "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C} -ot reg -actn setowner -ownr "n:S-1-0-0" -silent
                                        2⤵
                                        • Modifies registry class
                                        PID:2612
                                      • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
                                        "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7} -ot reg -actn setowner -ownr "n:S-1-0-0" -silent
                                        2⤵
                                          PID:1340
                                        • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
                                          "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7} -ot reg -actn setowner -ownr "n:S-1-0-0" -silent
                                          2⤵
                                            PID:3204
                                          • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
                                            "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7} -ot reg -actn setowner -ownr "n:S-1-0-0" -silent
                                            2⤵
                                              PID:1732
                                            • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
                                              "C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe" -on HKLM\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7} -ot reg -actn setowner -ownr "n:S-1-0-0" -silent
                                              2⤵
                                                PID:2032
                                              • C:\Windows\SysWOW64\reg.exe
                                                reg add "HKCU\Software\DownloadManager" /v "auto_reset_trial" /t "REG_SZ" /d "2024/08/26" /f
                                                2⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:2512
                                              • C:\Windows\SysWOW64\reg.exe
                                                reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IDM trial reset" /t "REG_SZ" /d "\"C:\Users\Admin\AppData\Local\Temp\IDM Trial Reset.exe\" /trial" /f
                                                2⤵
                                                • Adds Run key to start application
                                                • System Location Discovery: System Language Discovery
                                                PID:2208
                                            • C:\Program Files\VideoLAN\VLC\vlc.exe
                                              "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\GetConvertTo.ram"
                                              1⤵
                                              • Suspicious behavior: AddClipboardFormatListener
                                              • Suspicious behavior: GetForegroundWindowSpam
                                              • Suspicious use of FindShellTrayWindow
                                              • Suspicious use of SendNotifyMessage
                                              • Suspicious use of SetWindowsHookEx
                                              PID:3600
                                            • C:\Program Files\VideoLAN\VLC\vlc.exe
                                              "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RequestFind.aiff"
                                              1⤵
                                              • Suspicious behavior: AddClipboardFormatListener
                                              • Suspicious use of FindShellTrayWindow
                                              • Suspicious use of SendNotifyMessage
                                              • Suspicious use of SetWindowsHookEx
                                              PID:3488
                                            • C:\Windows\system32\NOTEPAD.EXE
                                              "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FormatUnregister.txt
                                              1⤵
                                              • Opens file in notepad (likely ransom note)
                                              PID:2452

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Temp\SetACLx64.exe
                                              Filesize

                                              546KB

                                              MD5

                                              3e350eb5df15c06dec400a39dd1c6f29

                                              SHA1

                                              f1434cfef2c05fda919922b721ec1a17adb3194e

                                              SHA256

                                              427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419

                                              SHA512

                                              b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\idm_reset.reg
                                              Filesize

                                              4KB

                                              MD5

                                              17ebf21fccac9756eab46eb64ba6c029

                                              SHA1

                                              8c8eef0f220777dc9b2ddee0cad6c792d98d5487

                                              SHA256

                                              290a3f67bbbdbd5c1101e90921475c2b95e97dc69a3141412fbac79fcadd3ee8

                                              SHA512

                                              47eed5646fd6e232a7e1dba9678e9c787cd367cdc71a5330c5f09aef4ebff381a5eb3f5a76b4c306e45d3c6ca21fe2c749ce10bd09bb90145b46ab4299f7f4c7

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\idm_trial.reg
                                              Filesize

                                              2KB

                                              MD5

                                              237962e36948f3d0c9ec42efa289ac52

                                              SHA1

                                              83f7e0b993e676dd381863370d1bf80fb84aeeb5

                                              SHA256

                                              40ad93cf424eee41a0877b11acb92f7f12d58ab3aa6fa6d64d92cfbbe11695a2

                                              SHA512

                                              beeaeb083e6533e9410c63b7b3acf67309f3a3da80b49f18890e883f4c1d1244383dc227cd93e5a16aaaa8096f4f424d380e3aa5cc600d455b07cd4b6264e4da

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\reg_query.tmp
                                              Filesize

                                              2.8MB

                                              MD5

                                              38ea535eb9ecc5dded7ea275e9e9584f

                                              SHA1

                                              7672527370c086559c49e08c6069b11b1492332a

                                              SHA256

                                              6ea05889240465f1b91f7365131738643b97256280f5d5cc376c2453eab6bca7

                                              SHA512

                                              41c5afb8248e8e4f878e7856192aac6563ef7ea4e2ea4781ce474cdd9d5ae00fae9578bd6a4993fbf27e57f48578cfc711359e6ddb9659fbd8c04f7a6f2320bb

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\vlc\ml.xspf
                                              Filesize

                                              304B

                                              MD5

                                              781602441469750c3219c8c38b515ed4

                                              SHA1

                                              e885acd1cbd0b897ebcedbb145bef1c330f80595

                                              SHA256

                                              81970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d

                                              SHA512

                                              2b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini
                                              Filesize

                                              78B

                                              MD5

                                              0e8ed80d632707e51e88931eac35415c

                                              SHA1

                                              38766b89fa2ff7034c25a65658943a0665ef44e1

                                              SHA256

                                              04d76c63efde96dc448ee9cb99505feddce6cd909fecb002d7621b4ccbd054a8

                                              SHA512

                                              7aa2259abc68f0eb984d9c9b4c069e7aeb64b512f922061b3ecd65451e6d73379c64cc83e4b8a3eada8d597451d57472d4358df43f0944ec9a2310dd8648f9b4

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini
                                              Filesize

                                              844B

                                              MD5

                                              43d6f397b0ba905eeeafa06667428618

                                              SHA1

                                              bc38c325de6e274affda6c6dd29815dafc8cfb63

                                              SHA256

                                              3f33f36c06acbb9baebe77a9bb1fa166486de5be9424ef0584c97b7df7e2ab5f

                                              SHA512

                                              c4924cc86c2f41236185c0802f6fb8e5684bd00f98d16cd1872c25a817db177fc1792d1e2668bb5fc029c79d3f60faa272936836d357aac04a8630140c7fd25a

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock
                                              Filesize

                                              18B

                                              MD5

                                              1bd84f84b8b09b3fefed0d1c95e47972

                                              SHA1

                                              5fc279c5d7a73bf51615bf64744ca802e4072b98

                                              SHA256

                                              40979eeff610ec8a1da10645ff66392c32e24cc3d51955c6e0eee2879cb586df

                                              SHA512

                                              9d49052521b01c114beb08fbd4abf305ef540696444dd40dc1d744fa3fc6fa0d7ef5687694ad2677ab5d9bc9f24b09da49e4535868136efad0417ee8593013d1

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\vlc\vlcrc
                                              Filesize

                                              94KB

                                              MD5

                                              ec3bdb41d903f7f7569e7480d02999e3

                                              SHA1

                                              57c13d86e04a69e840f22092f75e9255fc81dbdf

                                              SHA256

                                              13f9604d1134251dbe1a950cd34cbde0ebb98c5cce8d3c81115e2fdee9f1270f

                                              SHA512

                                              82c2922003a03c853f9426f23c364503610a35301fe56917a97c72295ef0f8c23765734d84ed8d4c3748e14d4d3a23381671717102c3d4067f3d2383f2fc0ded

                                              Download Submit

                                            • memory/3488-173-0x00007FFDADE50000-0x00007FFDADF5E000-memory.dmp

                                              Filesize

                                              1.1MB

                                              Download

                                            • memory/3488-170-0x00007FF6080A0000-0x00007FF608198000-memory.dmp

                                              Filesize

                                              992KB

                                              Download

                                            • memory/3488-171-0x00007FFDC1220000-0x00007FFDC1254000-memory.dmp

                                              Filesize

                                              208KB

                                              Download

                                            • memory/3488-172-0x00007FFDAE520000-0x00007FFDAE7D6000-memory.dmp

                                              Filesize

                                              2.7MB

                                              Download

                                            • memory/3532-174-0x0000000000A60000-0x0000000000C42000-memory.dmp

                                              Filesize

                                              1.9MB

                                              Download

                                            • memory/3532-0-0x0000000000A60000-0x0000000000C42000-memory.dmp

                                              Filesize

                                              1.9MB

                                              Download

                                            • memory/3532-33-0x0000000000A60000-0x0000000000C42000-memory.dmp

                                              Filesize

                                              1.9MB

                                              Download

                                            • memory/3532-105-0x0000000000A60000-0x0000000000C42000-memory.dmp

                                              Filesize

                                              1.9MB

                                              Download

                                            • memory/3532-27-0x0000000000A60000-0x0000000000C42000-memory.dmp

                                              Filesize

                                              1.9MB

                                              Download

                                            • memory/3532-26-0x0000000000A60000-0x0000000000C42000-memory.dmp

                                              Filesize

                                              1.9MB

                                              Download

                                            • memory/3600-56-0x00007FFDC1430000-0x00007FFDC1447000-memory.dmp

                                              Filesize

                                              92KB

                                              Download

                                            • memory/3600-93-0x00007FFDAF2C0000-0x00007FFDAF576000-memory.dmp

                                              Filesize

                                              2.7MB

                                              Download

                                            • memory/3600-74-0x00007FFDB9C40000-0x00007FFDB9CA7000-memory.dmp

                                              Filesize

                                              412KB

                                              Download

                                            • memory/3600-72-0x00007FFDBD620000-0x00007FFDBD638000-memory.dmp

                                              Filesize

                                              96KB

                                              Download

                                            • memory/3600-71-0x00007FFDC04B0000-0x00007FFDC04C1000-memory.dmp

                                              Filesize

                                              68KB

                                              Download

                                            • memory/3600-70-0x00007FFDC0510000-0x00007FFDC052B000-memory.dmp

                                              Filesize

                                              108KB

                                              Download

                                            • memory/3600-69-0x00007FFDC0530000-0x00007FFDC0541000-memory.dmp

                                              Filesize

                                              68KB

                                              Download

                                            • memory/3600-68-0x00007FFDC0550000-0x00007FFDC0561000-memory.dmp

                                              Filesize

                                              68KB

                                              Download

                                            • memory/3600-67-0x00007FFDC0570000-0x00007FFDC0581000-memory.dmp

                                              Filesize

                                              68KB

                                              Download

                                            • memory/3600-64-0x00007FFDAD840000-0x00007FFDAE8F0000-memory.dmp

                                              Filesize

                                              16.7MB

                                              Download

                                            • memory/3600-77-0x00007FFDB9B60000-0x00007FFDB9BB7000-memory.dmp

                                              Filesize

                                              348KB

                                              Download

                                            • memory/3600-65-0x00007FFDC05B0000-0x00007FFDC05D1000-memory.dmp

                                              Filesize

                                              132KB

                                              Download

                                            • memory/3600-55-0x00007FFDC49F0000-0x00007FFDC4A08000-memory.dmp

                                              Filesize

                                              96KB

                                              Download

                                            • memory/3600-62-0x00007FFDAE8F0000-0x00007FFDAEAFB000-memory.dmp

                                              Filesize

                                              2.0MB

                                              Download

                                            • memory/3600-54-0x00007FFDAF2C0000-0x00007FFDAF576000-memory.dmp

                                              Filesize

                                              2.7MB

                                              Download

                                            • memory/3600-76-0x00007FFDBD600000-0x00007FFDBD611000-memory.dmp

                                              Filesize

                                              68KB

                                              Download

                                            • memory/3600-91-0x00007FF6080A0000-0x00007FF608198000-memory.dmp

                                              Filesize

                                              992KB

                                              Download

                                            • memory/3600-75-0x00007FFDB9BC0000-0x00007FFDB9C3C000-memory.dmp

                                              Filesize

                                              496KB

                                              Download

                                            • memory/3600-92-0x00007FFDC1220000-0x00007FFDC1254000-memory.dmp

                                              Filesize

                                              208KB

                                              Download

                                            • memory/3600-94-0x00007FFDAD840000-0x00007FFDAE8F0000-memory.dmp

                                              Filesize

                                              16.7MB

                                              Download

                                            • memory/3600-78-0x00007FFDAD0A0000-0x00007FFDAD0B1000-memory.dmp

                                              Filesize

                                              68KB

                                              Download

                                            • memory/3600-79-0x0000018D294B0000-0x0000018D29552000-memory.dmp

                                              Filesize

                                              648KB

                                              Download

                                            • memory/3600-80-0x0000018D29820000-0x0000018D299D3000-memory.dmp

                                              Filesize

                                              1.7MB

                                              Download

                                            • memory/3600-73-0x00007FFDBBE70000-0x00007FFDBBEA0000-memory.dmp

                                              Filesize

                                              192KB

                                              Download

                                            • memory/3600-66-0x00007FFDC0590000-0x00007FFDC05A8000-memory.dmp

                                              Filesize

                                              96KB

                                              Download

                                            • memory/3600-57-0x00007FFDC1390000-0x00007FFDC13A1000-memory.dmp

                                              Filesize

                                              68KB

                                              Download

                                            • memory/3600-58-0x00007FFDC10C0000-0x00007FFDC10D7000-memory.dmp

                                              Filesize

                                              92KB

                                              Download

                                            • memory/3600-59-0x00007FFDC0FC0000-0x00007FFDC0FD1000-memory.dmp

                                              Filesize

                                              68KB

                                              Download

                                            • memory/3600-63-0x00007FFDC05E0000-0x00007FFDC0621000-memory.dmp

                                              Filesize

                                              260KB

                                              Download

                                            • memory/3600-60-0x00007FFDC0980000-0x00007FFDC099D000-memory.dmp

                                              Filesize

                                              116KB

                                              Download

                                            • memory/3600-61-0x00007FFDC0630000-0x00007FFDC0641000-memory.dmp

                                              Filesize

                                              68KB

                                              Download

                                            • memory/3600-53-0x00007FFDC1220000-0x00007FFDC1254000-memory.dmp

                                              Filesize

                                              208KB

                                              Download

                                            • memory/3600-52-0x00007FF6080A0000-0x00007FF608198000-memory.dmp

                                              Filesize

                                              992KB

                                              Download