Overview

overview

9

Static

static

1

New Order_...24.vbe

windows7-x64

8

New Order_...24.vbe

windows10-2004-x64

9

Analysis

  • max time kernel
    298s
  • max time network
    301s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 06:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New Order_Sept2024.vbe

  • Size

    12KB

  • MD5

    01ad59d70871354c051f21b786d587d2

  • SHA1

    19a0ea0c09319345cb1f168d004a340514fdf36c

  • SHA256

    a80a80f6ffe799ac7b9cd41ba6cf36bc6a5bac15584b9f02820e8f0fc2f7ed37

  • SHA512

    189a668fc23aeb6762060c9fce461d36fc41766c0c8d48b9a2f6ea90949293e96e4578e29a93ace461bdc79a20a36b116d268755e3f77fa2e4059ac25e3a7519

  • SSDEEP

    384:SlEpga/4dPJuUMk3xsOP4NHw/Xjj+ysMcWbC:SqNWJUk3AHwPjaNiC

Score
9/10
credential_accessdiscoverystealer

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 14 IoCs
  • Suspicious use of SetThreadContext 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 36 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 24 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\New Order_Sept2024.vbe"
    1⤵
    • Blocklisted process makes network request
    PID:3148
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\yBWGDdceHJjwMqj.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4068
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:4048
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2952" "2736" "2680" "2740" "0" "0" "2744" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:4636
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3424
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3424" "2688" "2616" "2692" "0" "0" "2696" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:376
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3940
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1284
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3940" "2728" "2644" "2732" "0" "0" "2736" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:3720
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1344
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1344" "2724" "2652" "2728" "0" "0" "2732" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:5112
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4768
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3536
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4768" "2728" "2664" "2732" "0" "0" "2736" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:3248
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3840
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3840" "1996" "2480" "2176" "0" "0" "2180" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:1124
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2160
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3244
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2160" "2596" "2564" "2600" "0" "0" "2604" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:3536
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3948
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3948" "2608" "2548" "2612" "0" "0" "2616" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:2088
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3324
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4248
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3324" "2732" "2580" "2736" "0" "0" "2740" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:2372
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1712
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1712" "2688" "2616" "2692" "0" "0" "2696" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:4092
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1540
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2356
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1540" "2732" "2668" "2736" "0" "0" "2740" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:2600
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1336
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1336" "2684" "2612" "2688" "0" "0" "2692" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:3156
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4264
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        3⤵
          PID:4872
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
        2⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1288
    • C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\StartAdd.mp3"
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2220
      • C:\Windows\SysWOW64\autochk.exe
        "C:\Windows\SysWOW64\autochk.exe"
        2⤵
          PID:3476
        • C:\Windows\SysWOW64\pcaui.exe
          "C:\Windows\SysWOW64\pcaui.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1932
          • C:\Program Files\Mozilla Firefox\Firefox.exe
            "C:\Program Files\Mozilla Firefox\Firefox.exe"
            3⤵
              PID:2924

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          3KB

          MD5

          3f01549ee3e4c18244797530b588dad9

          SHA1

          3e87863fc06995fe4b741357c68931221d6cc0b9

          SHA256

          36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

          SHA512

          73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
          Filesize

          53KB

          MD5

          a26df49623eff12a70a93f649776dab7

          SHA1

          efb53bd0df3ac34bd119adf8788127ad57e53803

          SHA256

          4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

          SHA512

          e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          2KB

          MD5

          7ae7fa90dc3c0424ad1f79758bf2d566

          SHA1

          785433bbb6004ea14ea571cc361f2b1cc8c6f8c8

          SHA256

          87ef74aec965436e22ecc88a0fedabab0c289e99112e7216a6bbc6093e37a5d4

          SHA512

          823e21f6203550241a47cb0a7a90111aa857957ab18e14208b8d0b27d1306afc1180ffedd7f98af18c9743e3b5179ec95ba3a8b579bf53b7d0ad1b8fd0db9742

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          1KB

          MD5

          1f1ed1cea2d7c55a62aafed291cb7b89

          SHA1

          1250f708810f2b9174b31cd6a3e4c1c33097170f

          SHA256

          a3d50fd79aee9117949fec7d8cf95dac0058e84459f917e4ea041edd34f98838

          SHA512

          28567577508442094f9b5a015f8fe16d077cc37304e5699d6b16787d717a0220aefd84fe2f582c3846017343bb74a36d36f5b2a36f7adc85b398835b817cf221

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          3KB

          MD5

          6a3075423aa1a00d8f3bb81e2181d6ff

          SHA1

          3efffc6f0897f095d53bfeadf5640b40c6638e35

          SHA256

          da64610cf087debe2b64c661d08de6d70f4e5ed6610e6e72a6a8bd1c798b4153

          SHA512

          de9b838c0de61d50d645578e7132e0fdb7b93789542603c76e5bb5605f06abe41077e2064c10a4b76f06f05ef1e65245f1a5f34e980b9fbb15655bc8cbe77f30

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          2KB

          MD5

          508aa6e819e9a0515b9e45671d235330

          SHA1

          c3c8c81b38f93d7a740a799d0e3560758b50b605

          SHA256

          464824da741faa900c38c9d26effd84479cf245eb5a4f1677d70d9ec7a48ef8a

          SHA512

          8c33f63a629d800a60003546f8354c1717a544c217f975659d3812baf51408d11b7cf0a0d9553914459a48b42a4d8537827bdf0af20fc7fb2cb180181d85f4c9

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          2KB

          MD5

          7eb9b1e2c6950ae0be62d0171b63f54f

          SHA1

          b3093dfa9caad318484f1c18714a15b7dee41b4a

          SHA256

          b6123e914b5870a2ce720068c3ae72d92dcac27ec8a6465da2a61f39524ce489

          SHA512

          50076ddfa64eb0884c3611ad6744875b3f23ea992bb294b0d8115213ae27bad6799014d037c606ec5cf09a466263e31bd2fbda38814d19912e352c5d9db3574f

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          2KB

          MD5

          7346ff103b7a70406c3775dc506b63ca

          SHA1

          933a471e02384cac8f0dee852a754d1883a4af8e

          SHA256

          45e8c21b769e6ede41e6934f7f729b96ea1c5d8d5718468dc22f653c8bba8a1b

          SHA512

          a8bd81a79eb2888359229b3002930c7be3c2c373b79635e525928475ef00ffcc7b6f0fec8043ee2ad0228fb6e89c7c7c7680958c7a2c1ec06cd5d9ffc6c1f30c

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          3KB

          MD5

          6e809f4c18466a0a63db912fb7a2441c

          SHA1

          d88653e1426406c3175c3fee38d55cd94a1ec5b1

          SHA256

          2a684a0f36716559ec3fef1d5cdcd0fa7d48cd59e40457b7adc4d7b1f9a0c9fa

          SHA512

          b47bb55f42d8930277dcab4d3850aba5b1f40b794f07cf1a0858b7280dc8bab243f445c50d2a45fa183c8f664c4864f476d4565c85380fc10cf45fe53d16100c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5gcbpmgb.2uj.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
          Filesize

          252B

          MD5

          b22a7fcc2d15068cdc67cd3f3824ba23

          SHA1

          7f4be4c9077998b31e1b911efc97e288bfddf16a

          SHA256

          b673fc755a94bc6c5b48ac4aabaf6ccdd132d453d9e21279284264927145c207

          SHA512

          219c2c688ccd168b7bafbf1d932e2fc9c51d5d2607d1fcf18437e19f3df5ef21e347fb0493f0e4d3aaa1bcd016f65004d8daede6c59a17ad613d803c4ae131c9

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
          Filesize

          504B

          MD5

          3d6bb32437bc0105575b39134af1e864

          SHA1

          8d25d5677f7f4a0e64854b3a7613751eb56a9a1f

          SHA256

          b5bccfcafe6a89b5c67c18bae0c720938d6b10003e7544d97ea352d5174297ca

          SHA512

          613bef3c8ca1243c3755d835efd858286d0ea8902fc6ff1bcd8eb2ab136f01aa6defd0a2c7a8218bc119de9d879eea1235038bc52185b209dd3e0c373a935724

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
          Filesize

          1008B

          MD5

          5c3f7830fa1eb6f0170c7bed69a5ea5f

          SHA1

          35a2a9413babfa032b440c19cbbfbcb2f004942a

          SHA256

          0b9320fc3955e3e79fb96d88e0106db99fbfb9e359a8888453cd6627eb9f8ccb

          SHA512

          07b54c224d8bd7bd02c6a60790dbf4804101aa7201080f17daf55530c90d13a4bb0564d30daaeb744f518816cb843a29fbec054b1d0e82266c5dead1e4a4f209

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
          Filesize

          1KB

          MD5

          2a173dc6e67cef3af114a7d5997d522c

          SHA1

          027b55794052283eba7370e6055783827447b829

          SHA256

          5afe352e547d6679629689d013a96123c9e31551b55886b7d16c255357ea97f7

          SHA512

          de9d8ea36c5d9c2ecd30d41cb3f2c90d7fdf8ffbdf0cd8b3bedc4437db57dfdb29c11a616065846446d386a5105cc86acde76a3fb6873c0a781073253db12d3a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
          Filesize

          1KB

          MD5

          0f07bdf8961950b8139106b20dba81e4

          SHA1

          879866dacd02fa47861d87e0d1e2291d428739c5

          SHA256

          a5e58d062bda359fd3d5290966305308906a76445497231bc1480b9a737a5124

          SHA512

          f7adb6bf6dcd48aba229883cf23b7b64224c701d4f8c29fbe7233a3d9fc96ff75a70ef8ace5f64ef2b7880031cd35bbb389a4b890d2d2009d815cdeec3f67d70

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
          Filesize

          756B

          MD5

          df96f511b55a7d9e287898c372562909

          SHA1

          18bf994c32a90e0ca650e389d04d4e1551099f9c

          SHA256

          2fea44ff27323329e0e273f54fc55694e4d7f8a91a5388d70ce056e6665895c4

          SHA512

          824573db43b055d560fafb6313232bc97d8b330f86414dd6f6302649b5227b258e0811f1e5169f9b817acb1ea7a9891e2585b6b27f803e96179c2cd225a1817e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          6KB

          MD5

          3d99ad05352c7bcd793ec2534442ec17

          SHA1

          619d6429e5d1f8581b65de83bb5467d97cbced79

          SHA256

          bed71cf649424c3d9ed212a70580c94b1282bf7b397f9acf483862fbf1e30db1

          SHA512

          2123013aee27990f4c4134e397c14c511d84882186d9547dcc120550614b1c95e6f4e7325c39f897c81dcbd9a2435214820fc92d03e80f7b931cb38de8b136f9

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          6KB

          MD5

          f3852db96a91328529d53a2d98bd9afc

          SHA1

          6e92e433f2c010d407143365a687568ea8d45434

          SHA256

          b93f955fb3d00d06c244c33193ae1152a1a6393c8fff9b40e93fb9bc6bacbdf8

          SHA512

          a56a026fe82e230a729868665862af4d0246c23aa19e8492064491ea6bfe9d330c41ac8e368b60efc6fc42ee9a661f272fbca7a602d5a6d09d5351e3b5d96f93

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          6KB

          MD5

          48a161a5ec5c706d06050350e069725c

          SHA1

          b79be8163a81427bc9b51964d81da2c201585397

          SHA256

          4017eb9a89c11ad21b0b1534aa79e40bdd035b70f11292b35add329d3dbb809c

          SHA512

          6d7bb5ef11d6b918e28bf3a58477a1c4e6de7a665b8f257a8a383b1390bdfa5bd9b00968d8f5f97cbcf84538142a7fae0d294c77773b38d48350f729b9e4a1dc

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          6KB

          MD5

          495cbb4e796a462dcc797d0918b20a92

          SHA1

          4441c8abe713e9dc7bd37ed8b883c1a3aae99c2f

          SHA256

          94a0cafb0150c82c3beb8f00daa0828028e491912a0d2ee5e560e4a3cc4b44b3

          SHA512

          157c50a7308d6e757ec2311a9dcb4d1fd4498f6f6d5c3f5b4f762c1d8a09d53ed83f392a1572a2d9cc9801bb2973b00ab8afe2c1eb1d1a3955d6d4915019be7b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          6KB

          MD5

          f103f521923108154ff867429504c00d

          SHA1

          3b1ef7c824e7d25198d37f0285747d598c343fb2

          SHA256

          7f64f1eab30ab0408d33fee21c942bb6099e67aa723161fb8700e89a43fe2a6d

          SHA512

          e01fa6385a488c8204a543158b2980bf76aaf44db2f64c470a05aaf7201fd170ca4a0a625e56d39e8ad7a1f4b576c894159110de0bed5f85af34792587c46ced

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          6KB

          MD5

          a298a1898a1f388f2327999d666baf93

          SHA1

          37dfb465923731e986d14ec6442100568655b251

          SHA256

          4f9297362765f7df6f5b4bd75a82ebce80801f37e94dbf17268a23f0e3b85c25

          SHA512

          b90e00719e16a41dc83b61cffc499a3fb264a87f8bc6008b9e51a83323ec8bd083e4307625c288243e00728d971dd9aa62a05745d3095d349a0b18cbc38555e0

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          6KB

          MD5

          1237a88851b188342120dd2041aefb35

          SHA1

          7ddf034198b39cfec81a699304cd15a0326fcc4f

          SHA256

          9bbaf160e081c04f4c4b9ac0398152eb246a454ddd61521f7bed745386e4d364

          SHA512

          efd799326816124a22ea67d318b977609d51f37b37005c0f2465ce6108edf8c2c117ddfead1c2cc52afc4c68762159a19b92ff2909f8b4a4bcd3bd7670c073d5

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          6KB

          MD5

          6684d0c3e84661b624d466cc00aa2464

          SHA1

          fde0d831e1537287348b6ddb7550344f694533ff

          SHA256

          c3c7da537c2c8088480eaf58c202f6ea5b39bef078c8c2453fbff2e6722d4b8d

          SHA512

          e9f7c611b7102e209ab6cb8b64ff92f9a79e0301880e1a29032c8651bfc35ef8531f6e9ce906638ef2267a290a16e6c93b85545bd7626428f1d60379d1695825

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          6KB

          MD5

          d799ba015edb15c9e512a83790acb7d0

          SHA1

          b15eb250204384599c3e036da6af21d1f92790e8

          SHA256

          6c7c3260922f27e0159cbde1eb957de73a3ff4b8ae4ef4dd44867f68eecf9195

          SHA512

          a3fbbcbaef4856e96371c94471aa974eb9e069a947ebd63c12517b0a6da9dc07f3f11d74e496769fadc2f27c4c00d4534ce086e97d452db8fd57f2725fc3c289

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          6KB

          MD5

          58bf58a0f34ef6095687e50b13078581

          SHA1

          9947c80b6a097b8c686b14509e9595aeac8b7186

          SHA256

          29ab33d01c80eb5eb6498d7473fec0feca23189dcfb3914ae514abf64e4e0dbd

          SHA512

          ec1662f224c2cb0d9b4eff8b61b94de5bc20519f6aed37e096c0a5b846333fa8eaef2523826d9f46e85da26b7eb0538dbe3e05e7dd097fbf37d39b1a7296d193

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          6KB

          MD5

          19cc9579761ca6d67f51e1dfa6d06781

          SHA1

          82e545d6765eab03ba229ec1b7e5a5444e8d9b9d

          SHA256

          6ae13177aafb6824eba8da03467b4908dc1eb9553292b71c55011c9eb0bbf902

          SHA512

          133551c74d820230ace4f3cdab001a4a272c1f53b9dcfdeb634f711f40310dc9c4e2e14017d5cb2c8cdeda09af8c9f90c18942635e8d5cabe49911a5034340af

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          6KB

          MD5

          2cc9afb1ca032184737238d2cb14db5d

          SHA1

          e9e24456af586fc0e60cdfd21c2a1e9521a45fc7

          SHA256

          553f2e90cedcdc1b08b47987ee46eea7fc9001dc500388dc96d38404353c1bc0

          SHA512

          4b69ce14b06804c260faeaf7f04c2544271f77dcfd06cb22e4a4cb151f2dd2f0c7ccb2cb1727e1b175a8d5257a53068debc3f59bb20bbe5a227a6581957b8205

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          6KB

          MD5

          33e12d8ac952e4173bb84bea13297ade

          SHA1

          5efe3025bcd857ed3ea508d052b11c6d11d907de

          SHA256

          50461b5714035626489fe0a794231280cf1b7e8f5dd911eea2a290e314e85d7d

          SHA512

          f3398157c6f9ac186241dca53f8850677f2c3bbbb09ddc1007d2f8292e4c13b7b39ce9e3d7f352947b444acbf1b62243d0161fd8a4c55d2dcdfd72951dc805bc

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          6KB

          MD5

          4d7bdb0e6587e712e9d8a5616cb5c6f8

          SHA1

          d2189baa730c350a95775ea32d9b77db7fc78b1b

          SHA256

          8e9c58ed906de18761d16353270a7094b5946334f05e925244aa894980429d88

          SHA512

          31f69fd12a2b55c842e838f36d977f8debb88b9418d9c4f3a64071146c9872bb61af2604e90acbb368eeb76662a44857b099234c94951c3d99de5b02824d729a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini
          Filesize

          73B

          MD5

          bfadf86349f8dfc21e7e779a6cf18b74

          SHA1

          3103065fd240e6042aea4c07c6dbe416258cab77

          SHA256

          f9c417c924bbe984f326f231ca030701e2e5d3a48337f7ec805e32cbf44ee9da

          SHA512

          4135b71b43d4f2f9a1607f16e0d8313044d9c23c804882e47d3b01d71afb23399ea1564732832ade32fe74183d9286e4e3434de0a17ece5b423e4da93ba2cc97

          Download Submit

        • C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini
          Filesize

          74B

          MD5

          900110f5045f6e077ccaaca023891095

          SHA1

          2d9d96bfca84c07b6f0e5a862a1d9c658c099f7a

          SHA256

          0d64054fca04124d5f268bd625590cb1e0108f70b652171f2de471e2ba2f07ed

          SHA512

          9eb06ced4d28cd92ed2236ed9b4f7da8588eedcc2e0ab1a16add2fc7aa02dc6400a27689c5d253cd0eace00c91bc365d0cb9f239e8573a5fe5bc3ebd8456bd70

          Download Submit

        • C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock
          Filesize

          18B

          MD5

          ab70cafe976f642ef9919dfb98ead7b3

          SHA1

          92a3b12d4a34deff0badae7ca30e0a626aa0905b

          SHA256

          d717b56cfec6c068117230fa8010dfdf21bf2b9c85fedd90e0fa342e158d9200

          SHA512

          c35cc56e9fb00db432888f7a2e74eed291af9b36da04d4656e2ec7d004bf854388490b9e5e2b79e93df82e0c1e82ab476931651a5759014870a83de38b0d1d39

          Download Submit

        • C:\Users\Admin\AppData\Roaming\vlc\vlcrc.2220
          Filesize

          94KB

          MD5

          7b37c4f352a44c8246bf685258f75045

          SHA1

          817dacb245334f10de0297e69c98b4c9470f083e

          SHA256

          ec45f6e952b43eddc214dba703cf7f31398f3c9f535aad37f42237c56b9b778e

          SHA512

          1e8d675b3c6c9ba257b616da268cac7f1c7a9db12ffb831ed5f8d43c0887d711c197ebc9daf735e3da9a0355bf21c2b29a2fb38a46482a2c5c8cd5628fea4c02

          Download Submit

        • C:\Users\Admin\AppData\Roaming\yBWGDdceHJjwMqj.vbs
          Filesize

          2KB

          MD5

          e8e30a783dd292ea2b3aa52349007106

          SHA1

          60e55dfc94d07b4147d7147abfb54e809ce9ebc4

          SHA256

          db4c9673ce906ad583be62458d15ed8f7c32ebb45664a1db06fb5417bcfc7b47

          SHA512

          119fc00126e077e8f4409167990c89f0bbdcce37e042c4eb748115bb67393576d7a2b462104d1aaa9c65f11295a810d6f1a51393d84870109dae16fe90c837b0

          Download Submit

        • memory/1932-95-0x0000000001000000-0x0000000001043000-memory.dmp

          Filesize

          268KB

          Download

        • memory/1932-115-0x0000000001000000-0x0000000001043000-memory.dmp

          Filesize

          268KB

          Download

        • memory/2220-22-0x00007FFB93B20000-0x00007FFB93B37000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2220-32-0x00007FFB91B80000-0x00007FFB91B91000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2220-16-0x00007FF654A70000-0x00007FF654B68000-memory.dmp

          Filesize

          992KB

          Download

        • memory/2220-87-0x00007FFB8CF40000-0x00007FFB8DFF0000-memory.dmp

          Filesize

          16.7MB

          Download

        • memory/2220-17-0x00007FFB930D0000-0x00007FFB93104000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2220-23-0x00007FFB93320000-0x00007FFB93331000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2220-25-0x00007FFB92710000-0x00007FFB92721000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2220-28-0x00007FFB8CF40000-0x00007FFB8DFF0000-memory.dmp

          Filesize

          16.7MB

          Download

        • memory/2220-29-0x00007FFB91BE0000-0x00007FFB91C01000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2220-30-0x00007FFB91BC0000-0x00007FFB91BD8000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2220-31-0x00007FFB91BA0000-0x00007FFB91BB1000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2220-33-0x00007FFB91A90000-0x00007FFB91AA1000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2220-34-0x00007FFB8B2F0000-0x00007FFB8B301000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2220-116-0x000002B9F2A20000-0x000002B9F2B30000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2220-19-0x00007FFBAA990000-0x00007FFBAA9A8000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2220-20-0x00007FFBA4170000-0x00007FFBA4187000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2220-21-0x00007FFBA0A60000-0x00007FFBA0A71000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2220-26-0x00007FFB8DFF0000-0x00007FFB8E1FB000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2220-27-0x00007FFB91C10000-0x00007FFB91C51000-memory.dmp

          Filesize

          260KB

          Download

        • memory/2220-18-0x00007FFB901F0000-0x00007FFB904A6000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/2220-24-0x00007FFB92CD0000-0x00007FFB92CED000-memory.dmp

          Filesize

          116KB

          Download

        • memory/2952-53-0x0000016AB7B80000-0x0000016AB7B88000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2952-54-0x0000016AB8020000-0x0000016AB802A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2952-15-0x0000016AB8120000-0x0000016AB8196000-memory.dmp

          Filesize

          472KB

          Download

        • memory/2952-14-0x0000016AB8050000-0x0000016AB8094000-memory.dmp

          Filesize

          272KB

          Download

        • memory/2952-4-0x0000016AB7B90000-0x0000016AB7BB2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4048-55-0x0000000000E00000-0x0000000000E47000-memory.dmp

          Filesize

          284KB

          Download

        • memory/4048-94-0x0000000000E00000-0x0000000000E47000-memory.dmp

          Filesize

          284KB

          Download