aa6f3167bcd3cceedf53810713999c649b0e8d52beeb4e30804813d54dd2e59d

Analysis

max time kernel
140s
max time network
205s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

original shipping documents.js
Size

30KB
MD5

c34e2fe548e947a64ac894a457bb598a
SHA1

01408b7989f7b88220129c599c7a58a389b35cb2
SHA256

bef77bb820ab4134ef575f8c68b0c0e75c124990790309cf6782928aaeba9d9c
SHA512

cd37464c37db0082453b9c17df0b331e9d91105fd7c014010966bd423d496c127baa67cb46f8b939c67c1d5540ad7ef0cc35a738957cfb33020da1a99255898e
SSDEEP

768:OJWm9aFqK2Y4WaQ4Vg4vf4bQuvAsBvPqMGzk6Q:O3mkk6Q

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
1	4700	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4112	wscript.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	wscript.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	1	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1996	vlc.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2464	powershell.exe
2464	powershell.exe
4036	powershell.exe
4036	powershell.exe
2464	powershell.exe
2464	powershell.exe
2464	powershell.exe
2464	powershell.exe
2464	powershell.exe
2464	powershell.exe
2464	powershell.exe
2464	powershell.exe
2464	powershell.exe
2464	powershell.exe
2464	powershell.exe
1536	powershell.exe
1536	powershell.exe
1596	powershell.exe
1596	powershell.exe
1536	powershell.exe
1536	powershell.exe
1536	powershell.exe
1536	powershell.exe
1536	powershell.exe
1536	powershell.exe
1536	powershell.exe
1536	powershell.exe
1536	powershell.exe
1536	powershell.exe
1536	powershell.exe
3252	powershell.exe
3252	powershell.exe
4964	powershell.exe
4964	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1996	vlc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	4036	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	3252	powershell.exe
Token: SeDebugPrivilege	4964	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe
1996	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1996	vlc.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 4700	4112	wscript.exe	82
PID 4112 wrote to memory of 4700	4112	wscript.exe	82
PID 4344 wrote to memory of 2464	4344	WScript.exe	93
PID 4344 wrote to memory of 2464	4344	WScript.exe	93
PID 4344 wrote to memory of 4036	4344	WScript.exe	97
PID 4344 wrote to memory of 4036	4344	WScript.exe	97
PID 2464 wrote to memory of 2320	2464	powershell.exe	99
PID 2464 wrote to memory of 2320	2464	powershell.exe	99
PID 2464 wrote to memory of 2320	2464	powershell.exe	99
PID 2464 wrote to memory of 2144	2464	powershell.exe	100
PID 2464 wrote to memory of 2144	2464	powershell.exe	100
PID 2464 wrote to memory of 2144	2464	powershell.exe	100
PID 2464 wrote to memory of 1352	2464	powershell.exe	101
PID 2464 wrote to memory of 1352	2464	powershell.exe	101
PID 2464 wrote to memory of 1352	2464	powershell.exe	101
PID 2464 wrote to memory of 2092	2464	powershell.exe	102
PID 2464 wrote to memory of 2092	2464	powershell.exe	102
PID 2464 wrote to memory of 2092	2464	powershell.exe	102
PID 2464 wrote to memory of 1260	2464	powershell.exe	103
PID 2464 wrote to memory of 1260	2464	powershell.exe	103
PID 2464 wrote to memory of 1260	2464	powershell.exe	103
PID 4036 wrote to memory of 3888	4036	powershell.exe	104
PID 4036 wrote to memory of 3888	4036	powershell.exe	104
PID 2464 wrote to memory of 968	2464	powershell.exe	105
PID 2464 wrote to memory of 968	2464	powershell.exe	105
PID 4344 wrote to memory of 1536	4344	WScript.exe	107
PID 4344 wrote to memory of 1536	4344	WScript.exe	107
PID 4344 wrote to memory of 1596	4344	WScript.exe	109
PID 4344 wrote to memory of 1596	4344	WScript.exe	109
PID 1536 wrote to memory of 3496	1536	powershell.exe	111
PID 1536 wrote to memory of 3496	1536	powershell.exe	111
PID 1536 wrote to memory of 3496	1536	powershell.exe	111
PID 1536 wrote to memory of 5080	1536	powershell.exe	112
PID 1536 wrote to memory of 5080	1536	powershell.exe	112
PID 1536 wrote to memory of 5080	1536	powershell.exe	112
PID 1536 wrote to memory of 4288	1536	powershell.exe	113
PID 1536 wrote to memory of 4288	1536	powershell.exe	113
PID 1536 wrote to memory of 4288	1536	powershell.exe	113
PID 1536 wrote to memory of 4284	1536	powershell.exe	114
PID 1536 wrote to memory of 4284	1536	powershell.exe	114
PID 1536 wrote to memory of 4284	1536	powershell.exe	114
PID 1536 wrote to memory of 116	1536	powershell.exe	115
PID 1536 wrote to memory of 116	1536	powershell.exe	115
PID 1536 wrote to memory of 116	1536	powershell.exe	115
PID 1536 wrote to memory of 3204	1536	powershell.exe	116
PID 1536 wrote to memory of 3204	1536	powershell.exe	116
PID 1596 wrote to memory of 4112	1596	powershell.exe	117
PID 1596 wrote to memory of 4112	1596	powershell.exe	117
PID 4344 wrote to memory of 3252	4344	WScript.exe	118
PID 4344 wrote to memory of 3252	4344	WScript.exe	118
PID 4344 wrote to memory of 4964	4344	WScript.exe	120
PID 4344 wrote to memory of 4964	4344	WScript.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\original shipping documents.js"
1⤵
- Checks computer location settings
- System Network Configuration Discovery: Internet Connection Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\restored.vbe"
  2⤵
  - Blocklisted process makes network request
  PID:4700

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\VJsbEnSfUjMLrzV.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2320
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2144
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1352
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2092
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1260
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2464" "2760" "2716" "2764" "0" "0" "2768" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:968
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4036
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4036" "2684" "2612" "2688" "0" "0" "2692" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:3888
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:3496
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:5080
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4288
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4284
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:116
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1536" "2748" "2684" "2752" "0" "0" "2756" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:3204
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1596" "2684" "2612" "2688" "0" "0" "2692" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:4112
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3252
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1596
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2988
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2288
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:5084
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4388
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4964

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\StepUse.M2TS"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER86D0.tmp.xml

Filesize
4KB

MD5
0c1b263b22f43122427b0d853e77a111

SHA1
2654a3576f296db6459e749653944d5afbf3d5f2

SHA256
c6d3637fda9ec6f8a99e6de5e5f6962e6d87a78106a2e0aee8f832ab01b788dc

SHA512
c354be6704eba817200edb1823ebbd07343e4899c7d51c0b7db45d0fbbb26cdc1a192ee6c90db6cca896ed25d9499238c039eb83f0d505881e58bbd0870e959a

Download Submit
C:\ProgramData\restored.vbe

Filesize
14KB

MD5
50afd76634e638e6f90dc455ccd9a7d2

SHA1
e7bc02f20bc093fd3fc9cca318d6b829a2020b2b

SHA256
fb7a7d9e890523d16641782eadd7905720d7b62f4450029d4c4b5ac39e88a170

SHA512
a47c5aef0f1397dd09838f08a325f961cab2a3f2998db2b73b48e29da4ec2a6c219b0a43bc8c5186fe8204c4a5bfb03c97a5d41787b8837591f664140d0f450c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
9461a7cfb20ff5381df28f51b80c5ef1

SHA1
c86c53fca1dcbe307dafbefbb366abf52c9f5eca

SHA256
d4af1948337d0deb725f4f2b1fe1a9b60f4519841e28748b11bfd62ccd71e028

SHA512
da1e17f67dfebb004ba93d489be504fd7af6d62709ada2581ffa77880baecdaa0015b49d36333d18216d9dc6aad7b0ea2e5bd224d8d3f65ee9b66a05fc45e304

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2b30242fe3de4d9edb43c28f08031166

SHA1
3dec76d6059bc908c3c1afe3c6512bb9b2884466

SHA256
176626b849aae53dfff8e6577e14ce326ef446cb4ef95fc7aade9b6e2444345a

SHA512
9891c05741744099c40dd66f951e963fe762e3d241a43f338bc805df81727fc0728c0f257a229f7c5a79d713832cd933488eb6740cb17e29630a53b4753b4240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
3KB

MD5
2413d99a94dac8396fff099eee730b39

SHA1
6da84893868537926fe683eae9ac29341e1589c5

SHA256
0082c048a409eb7a4f11f1e9fe0f1cb01d810404213faa2d0088a3c49a917b8e

SHA512
b76b957ddbe1d784694a31fa610630cc28dc84a8d871e310bfdd2615d8323d5707e12ce8dd62336cc24a9cb9d7541b2d55f2b6e150561e6584af092df1feb9e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
600B

MD5
162640495cc7d0579adbf4262e8c64b8

SHA1
d42bb5a657ea89e15f392ece8dc21f059aa878c1

SHA256
11ee4727f61ecfe70222eaf36f5f0ab99bcf3c79972184a979167a0fe512c202

SHA512
f14a78b97ee3bff34c28c44f2047f0ebae49d9614c598efb55fa4023b8e4b1ec7d758687f50e339453f88f9d6132eb72572ea1642dac35fe01c8a435a16e96cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hqznklaj.pq2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Filesize
252B

MD5
7160f5ef74572cca14e352a66247c08b

SHA1
76fad2d4eec4907a29ca612c663ce1c104bcee2f

SHA256
e0489d695a936479982bb40295d98fe9650ba2fd9667c818cf9d2d2a63677bee

SHA512
eb7e31543cc8dcb05e91d6401a3f2f0d3b5e4bb953ffb06dfc9a144855ffbe3981228ae71391cf44af44bdf21df72252f70b4bd1c7b499176e9c2102a43a0bdb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Filesize
504B

MD5
2f1db0510a85e98ecc3bef5d643fdd2f

SHA1
17a2081043b48e68fb75a02dda9834af40fe6198

SHA256
214383fb9fdfd56e53268fbaf092752965c8d2e241af5d06ca9ac79d491f893a

SHA512
6384b9d24b7d73ec0314cbb33c937ea4b1a7a0f8f32b2759a134734ba81243b04b6757746e61623ef227389e2a02bf94d4c48a2e20634c97415586ed852631c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
a1a8b11974f0f7568271f2cf84122241

SHA1
76d1ebd0c56846c7e9cc7b2f792e28a3ee7dcaa1

SHA256
672f0346fc0d82facb8d9f4d317da887df637f490a3ee4640b216c1dd47af44f

SHA512
c447773f30921e5c861c287a8bb92c0fc00591d9e2b48f13be353b012a14915f11b22b56cd3a8cc5af237348c9854475e287246ccb1821c18afe98220eed2c4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
a02d7b19b83f731e48b059c5e2089415

SHA1
42627ce04beeb7560767cc597fe23de859e4defe

SHA256
e74d354e5dabdd252a9ee157d61cbc74527a913c955ca118e2d3023860939876

SHA512
641bce5176c13ff9193ec075a675c52a1bc059ddd330b6305fb22c17a3e6fed72a319af448fdc47888ca19ed58ed3416ee9a8cc0c0da376ab90f5cde7aec2d82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
6913f02cc1c0bc4e865e8c606499e785

SHA1
393691f46e0e78eb16c172845647bb4d7fede052

SHA256
833cd56344719faff6fff04c05f8bce4844699a7b071d245cb74cf2181ee17a2

SHA512
6839ef715308d76e75dd4cf8c843d9d72a25d91a5f0d3e3a2def59dd92d45fb72445c5d26499e64e62d00df354ed8524e81a3211cdadc6c70d2ce603dedb2c61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
c133bbbcc0dd7ae2cdd1eb864eceb2da

SHA1
f3c7146855f477731af5119d868e98cc02d382cd

SHA256
ac9c25c29b936dc881a93f84218d943ca0f025315a949d1f7fb687945eddae6b

SHA512
c35ad6e933af8d0a3f1088f8f311807de1a114f63554dd87a9e8322fc5f392f734e0ec2fbdfb156eb68004738a3426bf5a2c9f31498815094bb1029bace2c662

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
5ebae7b5fac4372207863ca8c4e93610

SHA1
d9c9c2efeab22ad862b3c6b231d5ab44af083c88

SHA256
3e16c53dae71cb9997ef630ffb6d27b09fc89363a779daca0b9ef17154f1531b

SHA512
d8e30ac69b16c3336c6c759c6b16ff531591d4b71c08651637a846a1b6b0f09484f3bb507ed42cffcab37ef48a7d8de8573a522a1254de502015195ad8210cdc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
4fd2098ba6f148d0d847863995153dc7

SHA1
960139773d3da90c3ec40cff3462a607d8d268d9

SHA256
fab5c2409d6f1d9d437f9750009ce96e43566d795bcb484eb19ecaa7a4eb1fd1

SHA512
1a0b933c84174719c83afe195679e4407648460214d21ebaec07784cbe092bd6581a164a695473c60645e6e9668c17d726e639ca4b98319b09581763704b678e

Download Submit
C:\Users\Admin\AppData\Roaming\VJsbEnSfUjMLrzV.vbs

Filesize
2KB

MD5
c9fad78878dfb374e55163fd728a42e9

SHA1
08a0cfd1d4155301c6d308917a305a1142a1bd15

SHA256
0df392e595e30753e10b2e5b0263ef2b6a2538610e2e0af3dd4340f1dd205b67

SHA512
2e7766a7e9b93c1e83091bda164cb2e09ba681b6c5ba8e6f2f7b3dd41c640ac214cf586f22dd46283bc70f0d26abad23cac7ab89a8f163077d9887d505ea2000

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
73B

MD5
05dc9d5be4a75f1d68adfb77c84c1280

SHA1
a927f597ab40804c524701b71ad1c43b2f67f5ff

SHA256
f9e8de69ab49496bad1036db9d23e2e1868f52f04baab58a85f918389fcfabb3

SHA512
558f1bc2f20c49f8ead2528787b5f60359c6587ab8d28692eb5b450d5c8e002f951ae0327af658ef2747098a9503e5806c43484383b1198d823623ce90753f50

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
74B

MD5
0877063ee1dc8981e722f212408814d5

SHA1
6df7d0374708cfc49c76759ffe0b60032ca8c204

SHA256
6c7c8cf6209cec2b87678b1accf118020eb05c5342337f74e9c0c9bc82c34636

SHA512
1c245cecd27847d2a70874e6f5df504a9f66d9fc825737cf4aeeb52e17c2d2174ba661077af2d2864a30e5475e88c6c3fdaf98baec6106b077f61136b5e33a6c

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock

Filesize
18B

MD5
0063de2564bba0ca6ff57f4be5864084

SHA1
cd405064380b74e8a0fca62da7c819e6e8ed6a77

SHA256
94a6bff02e4bc154c06e8c2130125ce269f288edfff91ebb98cb5de1ff829e8e

SHA512
92c02ead04114c583e2308ae178aa6a860f7dcc036e801d0ef3a7eafacb9bcec441b36ff7ead323d7b6e5d64565cdc2c7d3b8080ec1f1e50cb7b9d0879cf1125

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlcrc.1996

Filesize
94KB

MD5
7b37c4f352a44c8246bf685258f75045

SHA1
817dacb245334f10de0297e69c98b4c9470f083e

SHA256
ec45f6e952b43eddc214dba703cf7f31398f3c9f535aad37f42237c56b9b778e

SHA512
1e8d675b3c6c9ba257b616da268cac7f1c7a9db12ffb831ed5f8d43c0887d711c197ebc9daf735e3da9a0355bf21c2b29a2fb38a46482a2c5c8cd5628fea4c02

Download Submit
memory/1996-30-0x00007FF9530D0000-0x00007FF9530E7000-memory.dmp

Filesize
92KB

Download
memory/1996-175-0x00007FF950FB0000-0x00007FF951266000-memory.dmp

Filesize
2.7MB

Download
memory/1996-36-0x00007FF950F60000-0x00007FF950FA1000-memory.dmp

Filesize
260KB

Download
memory/1996-38-0x00007FF950EB0000-0x00007FF950EC8000-memory.dmp

Filesize
96KB

Download
memory/1996-39-0x00007FF94EDB0000-0x00007FF94EDC1000-memory.dmp

Filesize
68KB

Download
memory/1996-40-0x00007FF94ED90000-0x00007FF94EDA1000-memory.dmp

Filesize
68KB

Download
memory/1996-25-0x00007FF969130000-0x00007FF969164000-memory.dmp

Filesize
208KB

Download
memory/1996-31-0x00007FF951E70000-0x00007FF951E81000-memory.dmp

Filesize
68KB

Download
memory/1996-41-0x00007FF94ED70000-0x00007FF94ED81000-memory.dmp

Filesize
68KB

Download
memory/1996-35-0x00007FF94CB00000-0x00007FF94DBB0000-memory.dmp

Filesize
16.7MB

Download
memory/1996-42-0x00007FF94DE80000-0x00007FF94DEAC000-memory.dmp

Filesize
176KB

Download
memory/1996-92-0x00007FF94CB00000-0x00007FF94DBB0000-memory.dmp

Filesize
16.7MB

Download
memory/1996-103-0x00007FF950FB0000-0x00007FF951266000-memory.dmp

Filesize
2.7MB

Download
memory/1996-112-0x00007FF94CB00000-0x00007FF94DBB0000-memory.dmp

Filesize
16.7MB

Download
memory/1996-24-0x00007FF615B30000-0x00007FF615C28000-memory.dmp

Filesize
992KB

Download
memory/1996-27-0x00007FF969C10000-0x00007FF969C28000-memory.dmp

Filesize
96KB

Download
memory/1996-28-0x00007FF953170000-0x00007FF953187000-memory.dmp

Filesize
92KB

Download
memory/1996-29-0x00007FF953150000-0x00007FF953161000-memory.dmp

Filesize
68KB

Download
memory/1996-34-0x00007FF94EDD0000-0x00007FF94EFDB000-memory.dmp

Filesize
2.0MB

Download
memory/1996-37-0x00007FF950F30000-0x00007FF950F51000-memory.dmp

Filesize
132KB

Download
memory/1996-32-0x00007FF951CD0000-0x00007FF951CED000-memory.dmp

Filesize
116KB

Download
memory/1996-33-0x00007FF9519E0000-0x00007FF9519F1000-memory.dmp

Filesize
68KB

Download
memory/1996-26-0x00007FF950FB0000-0x00007FF951266000-memory.dmp

Filesize
2.7MB

Download
memory/2464-62-0x00000290384B0000-0x00000290384BA000-memory.dmp

Filesize
40KB

Download
memory/2464-61-0x00000290384A0000-0x00000290384AA000-memory.dmp

Filesize
40KB

Download
memory/2464-18-0x0000029052BF0000-0x0000029052C66000-memory.dmp

Filesize
472KB

Download
memory/2464-17-0x0000029052BA0000-0x0000029052BE4000-memory.dmp

Filesize
272KB

Download
memory/2464-16-0x0000029038470000-0x0000029038492000-memory.dmp

Filesize
136KB

Download