2c41808826974a0fdd3c7b27850143cad077a79e0cf69c011da495d6abee679a

Resubmissions

24-11-2024 19:42

241124-yexs5s1rgq 10

24-11-2024 09:24

241124-lc6xtatmay 10

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe
Size

254KB
MD5

09b5f5200e59d3a4623d739661ce9832
SHA1

8cfecf1996164ea98bbffbedc951b740cb35ca94
SHA256

a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323
SHA512

932448936c0e6e48ad059b4b224ba94e723f771d7d31f0e183f65ab46fff18ff01d5f7185a30258a1c46c7777677c4f2defefcc1db2645f732f3c13bb98b5977
SSDEEP

3072:nl6lh5pdDkFgvGRPLYYhmB218CdV3GB9Qr8lWmN5PSRs5CMMXQFPml5gdN+98bep:oj7ToPpmBHi2B9mXx98beF+LUDj0YUk

Score

10^/10

credential_access discovery execution ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\GK9X59JWEe.README.txt

Ransom Note

ATTENTION! Don’t worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that’s price for you is $490. Please note that you’ll never restore your data without payment. To get this software and key you need join our server discord: discord.gg/ Personal ID: 2db500aa20c44aaf8a31681e8bab5dd0

Signatures

Renames multiple (961) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
4708	powershell.exe
412	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
23	discord.com
24	discord.com
32	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
19	ipinfo.io
17	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

wmic.exe

pid	Process
2560	wmic.exe

Modifies registry class 1 IoCs

Processes:

a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
4980	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid	Process
4708	powershell.exe
4708	powershell.exe
3936	powershell.exe
3936	powershell.exe
412	powershell.exe
412	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exepowershell.exepowershell.exewmic.exewmic.exe

description	pid	Process
Token: SeDebugPrivilege	1116	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	3936	powershell.exe
Token: SeIncreaseQuotaPrivilege	5084	wmic.exe
Token: SeSecurityPrivilege	5084	wmic.exe
Token: SeTakeOwnershipPrivilege	5084	wmic.exe
Token: SeLoadDriverPrivilege	5084	wmic.exe
Token: SeSystemProfilePrivilege	5084	wmic.exe
Token: SeSystemtimePrivilege	5084	wmic.exe
Token: SeProfSingleProcessPrivilege	5084	wmic.exe
Token: SeIncBasePriorityPrivilege	5084	wmic.exe
Token: SeCreatePagefilePrivilege	5084	wmic.exe
Token: SeBackupPrivilege	5084	wmic.exe
Token: SeRestorePrivilege	5084	wmic.exe
Token: SeShutdownPrivilege	5084	wmic.exe
Token: SeDebugPrivilege	5084	wmic.exe
Token: SeSystemEnvironmentPrivilege	5084	wmic.exe
Token: SeRemoteShutdownPrivilege	5084	wmic.exe
Token: SeUndockPrivilege	5084	wmic.exe
Token: SeManageVolumePrivilege	5084	wmic.exe
Token: 33	5084	wmic.exe
Token: 34	5084	wmic.exe
Token: 35	5084	wmic.exe
Token: 36	5084	wmic.exe
Token: SeIncreaseQuotaPrivilege	5084	wmic.exe
Token: SeSecurityPrivilege	5084	wmic.exe
Token: SeTakeOwnershipPrivilege	5084	wmic.exe
Token: SeLoadDriverPrivilege	5084	wmic.exe
Token: SeSystemProfilePrivilege	5084	wmic.exe
Token: SeSystemtimePrivilege	5084	wmic.exe
Token: SeProfSingleProcessPrivilege	5084	wmic.exe
Token: SeIncBasePriorityPrivilege	5084	wmic.exe
Token: SeCreatePagefilePrivilege	5084	wmic.exe
Token: SeBackupPrivilege	5084	wmic.exe
Token: SeRestorePrivilege	5084	wmic.exe
Token: SeShutdownPrivilege	5084	wmic.exe
Token: SeDebugPrivilege	5084	wmic.exe
Token: SeSystemEnvironmentPrivilege	5084	wmic.exe
Token: SeRemoteShutdownPrivilege	5084	wmic.exe
Token: SeUndockPrivilege	5084	wmic.exe
Token: SeManageVolumePrivilege	5084	wmic.exe
Token: 33	5084	wmic.exe
Token: 34	5084	wmic.exe
Token: 35	5084	wmic.exe
Token: 36	5084	wmic.exe
Token: SeIncreaseQuotaPrivilege	508	wmic.exe
Token: SeSecurityPrivilege	508	wmic.exe
Token: SeTakeOwnershipPrivilege	508	wmic.exe
Token: SeLoadDriverPrivilege	508	wmic.exe
Token: SeSystemProfilePrivilege	508	wmic.exe
Token: SeSystemtimePrivilege	508	wmic.exe
Token: SeProfSingleProcessPrivilege	508	wmic.exe
Token: SeIncBasePriorityPrivilege	508	wmic.exe
Token: SeCreatePagefilePrivilege	508	wmic.exe
Token: SeBackupPrivilege	508	wmic.exe
Token: SeRestorePrivilege	508	wmic.exe
Token: SeShutdownPrivilege	508	wmic.exe
Token: SeDebugPrivilege	508	wmic.exe
Token: SeSystemEnvironmentPrivilege	508	wmic.exe
Token: SeRemoteShutdownPrivilege	508	wmic.exe
Token: SeUndockPrivilege	508	wmic.exe
Token: SeManageVolumePrivilege	508	wmic.exe
Token: 33	508	wmic.exe
Token: 34	508	wmic.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe

description	pid	Process	procid_target
PID 1116 wrote to memory of 4708	1116	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	83
PID 1116 wrote to memory of 4708	1116	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	83
PID 1116 wrote to memory of 3936	1116	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	85
PID 1116 wrote to memory of 3936	1116	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	85
PID 1116 wrote to memory of 5084	1116	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	89
PID 1116 wrote to memory of 5084	1116	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	89
PID 1116 wrote to memory of 508	1116	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	93
PID 1116 wrote to memory of 508	1116	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	93
PID 1116 wrote to memory of 1268	1116	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	95
PID 1116 wrote to memory of 1268	1116	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	95
PID 1116 wrote to memory of 412	1116	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	97
PID 1116 wrote to memory of 412	1116	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	97
PID 1116 wrote to memory of 2560	1116	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	102
PID 1116 wrote to memory of 2560	1116	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	102
PID 1116 wrote to memory of 4980	1116	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	105
PID 1116 wrote to memory of 4980	1116	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	105

C:\Users\Admin\AppData\Local\Temp\a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe
"C:\Users\Admin\AppData\Local\Temp\a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3936
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5084
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:508
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:1268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:412
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:2560
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\GK9X59JWEe.README.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\CURRENT

Filesize
24B

MD5
c60347dece4428b002d78e99bb55ea63

SHA1
a62d46743cd943635b7a1f574232842f04c23070

SHA256
d6163a9bf5be69a69378d33016fd44aed2141254fa6048396fe44251f56e7743

SHA512
f82e249578f419d1aee0150944d986a7aa7df427cf50d0b7f20326edcd7c183fe1b75beeff8b74bb520aa0d19f31b7d788ef263cb557c1ad28db854bf85bc40f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000001

Filesize
64B

MD5
90fd006f28bc34c96fb9cb94cf67e521

SHA1
43d4ca1ad6f07c66cff5e033adf16b7862fb3e6a

SHA256
4670f16f8eec18aded17c0536757ff79b570b93bf3f656d14ada3f356df23e00

SHA512
fea8b4d7a6f1d9dd3dd1bdcecf4a817f63161b5fa092f0cfca00e51a7fd149068ab07c201cda75a987a58126a5cf04e01200a643718b05896f2c53d97d3c940f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index

Filesize
44B

MD5
b49ea594fd8f3444e1386ad3daecda4f

SHA1
5ee1acfcfb42e5f03f654de36163a6ec5cd01ff6

SHA256
0a9153cd5220e160d854d403a45d6b89cc795f0d206d660d20841e2e92596d01

SHA512
b42618fa3a02d8b470f147932f0958e31b0d82f4427a60ba71a87b39999226ab85b09c824d8c1d556654ba097c163bb5d5f8af69c79b8c826451e4d1b9d19f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_0

Filesize
10KB

MD5
b3e8be06e2abcce89f5dbda1357c2935

SHA1
6b935e72eaa1efbe5e0cab85a7ca2788e0d479de

SHA256
afcb58011e63c784f95af205d1bf17edd766dc77792f168b2feb6b99061eed34

SHA512
871502ab6076adcfa51c50f07e49c913959037b2518261e8745dadd02afa57d01ed53f983fd073705600c6208dea292c0899c8b748b5113a6a040e0c3cb98933

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_1

Filesize
352KB

MD5
964f0d63db8aa37c10ab37d23d121f07

SHA1
97a3fbafbe288203f01575e21f2236291d99cf6d

SHA256
de9801c97fd63cd99a5d5f80493dd6c5e2f39bf8b971aab915d3fef5da5149e8

SHA512
43a6d8e3972d3eed03b107b5a9482eb71dd059460efe83671379e17bd130c4766c272636180b47091a063338630fd7803ba628ca452580653a1603b6f51aea06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_2

Filesize
10KB

MD5
121a02592f9e9632363ed89537e558be

SHA1
8aa4b3be449e4383f373f3141ea6eab96bf96dec

SHA256
2838c10e2d126d08f7961183f4d8bc0e17155b2ea48ad0052cc592d572342a60

SHA512
d33f63d2135176d6da58db6a42255831dfdd12f78c373629127460a5656872346f93de392fa0b6158d5303d53fc38b6e1fa987c87350726a984f83a0c596c22a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_3

Filesize
10KB

MD5
f66421544253d36bf07edf3937a0bdeb

SHA1
ae66a6f789479211a87c1da93e775cdcff6cb7f9

SHA256
f73ae7381ddbe79070582d2654cefd089932429cf90131fc24bc52d59d2c5dad

SHA512
f5b67aa95c213a1ec22e2f553c2a5bb94b449d25b850327a39ec1ec4b6814534e9ff01a79be57078ecddcf1af8706b461709d4af1c3ded42390f7150b853aad3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

Filesize
441KB

MD5
f8124a8563ca9a9a104577026a380b7a

SHA1
4998160b45ca6bae8a2fc6cdc4a3a1693d9c7dac

SHA256
3cba2f1c0355005ce4cf096d4c5e9dac94cf1b1ea317ccb8a8a2d29718be165c

SHA512
9cd8578187426635ec8691963026e8601c9446f78216ae02622eb0ac43bc0e81cd480a40b0c03a478bd170204f14140b26c067edaf15bde08faf3a5b3559c1bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
88B

MD5
b2d6dc9fa86736d8003c80d506f7fc87

SHA1
f47b1264a0c87e220d45de9dd0c64200d5542d78

SHA256
36180fa37aba1c6e08e0025ce69299667debb5ef15685f1de0a78e6d3e11851f

SHA512
93187ccbc109f309281b5868f57ab56c1b982dd309fbd9dfd93ded6b9ddf6727933dc462449b6d819b8654bab3be088530d7eeb1f934d247126f3ece7545abcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d0d7afbfa1f7b7e081d7a6aab569d8ef

SHA1
1dd55e24bf05325802e04c8dae1e168e69eb3d4b

SHA256
ec7dba60fe056d3ba1a5692ed0df2f19542e600e0b19718e26cac216354d5a73

SHA512
27b856fcada934b38a711f316196017b63a55dc8590f0f0d4da9e8a8ddf3f080521a87425145aeaf038e959bca071277c59b184a62b72a16f1a75f08317b217c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Explorer

Filesize
48KB

MD5
27c5ff168ca8b65dce4d8572054c9651

SHA1
adb5a0df29bd391dc98710a914826a7c3d984e2e

SHA256
377652817efa870df1dc11e226b6e864603184e0db1ecef649ccff241b7ebe1b

SHA512
b8ade3dff96feb9fc7737befd758acfbe79d84d85db7543f26408845b1e361f4aa96330f507e1b6fad849482bcf1708e65757f54ad780f4ca17fc84992c3f87e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\https___java_com_help

Filesize
48KB

MD5
778fb836717aea608bf5b51837f5b9e0

SHA1
7d67098466ba74f2daff4b3b4002d99beb45c214

SHA256
710ddcb8f3437344a5808e6def135252d407ad6e3444de75b7aebb0d5be073cf

SHA512
03686373bdd8a1a6d13bd6e57f474ea21e093f55a46d2685769cdeeab0fb1bfa6f53d562d04f1a9737a0faef59bccfe0b00562055fe4c932af58bf25f80e4ca2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_VideoLAN_VLC_VideoLAN Website_url

Filesize
48KB

MD5
27657f8ee295a9591c5b8943a80bb30b

SHA1
8b9001e565fccf6da3ed2bca556ec0900956b247

SHA256
939dcad8ce3dccb5cf0a10cc053ae67351d4f03a45494c1c52188add233e6f72

SHA512
096fed0d125ae685bc0074a014f0b24f532fedb0b6e45ce15cec1ac6b0b54361285d3c1961c0640a25ea685bd6de6841f0abe997a627f718f1813209b511ed64

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_VideoLAN_VLC_vlc_exe

Filesize
48KB

MD5
d8ccceb2b7ddc42d2bb9585b3427848d

SHA1
5422a384ca0b44f0ec69ee1c86d93561f8040026

SHA256
0dec293bfafe00b8ec2352e505c2bb620bcd35a02aedeaa743f4e7a972969023

SHA512
b182649c51768b49018996ffd54b6144c86a1a63ae4ab926c771d0039ec51a3aab5783a7da469b9eb44bc068d5ad69cb7dc1dae42a78bc8ac0c1f4a6ffb2f505

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ef506c15-15b1-45c5-a0e9-a6987fbafa75}\0.1.filtertrie.intermediate.txt

Filesize
24B

MD5
4b1d37865d61a06d02c11d4dad1f15d0

SHA1
c40b21db1c75acd651f63ef3a13fe7429c410d30

SHA256
1e64091ffc58b01865b30ac7d346f8c264d5d0d74554d517c087898619cf80d8

SHA512
3fbd7caff1714bd41b7d3dbcc5b86001a7126dd4f6f8769b1dc2263231b8ba781b59e6ff297e74eb088249062fd308774f2606529b0fcbfd7462fb2080193162

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ef506c15-15b1-45c5-a0e9-a6987fbafa75}\0.2.filtertrie.intermediate.txt

Filesize
24B

MD5
01986c6e7e4a742c5e34a284755cac67

SHA1
71344fe505d5164f57cd90c06923c2d8632b666a

SHA256
a90a28753fcf0b08c1282d2a7f5f0bb94f59e82c9c189d60f2640b833ced6adb

SHA512
d46f39d96c8ba17661bee817c28297c707e2d8fa3843fd999ff0a1042a687587b63f91e3d98b61e96197e366baf1ca95a109a74dfd8d5ce3a5d27e14a1a1c5d5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727655840085328.txt

Filesize
103KB

MD5
b657d96271f961707bea6a4c7079577f

SHA1
09a3f88edbb2f3c2b84856012fa7f02f4f2bcdb5

SHA256
99a5cb3e14b11f88cc6d4e4f61fff406243f1fcae94ca337bca4c71b74e38ecd

SHA512
04c2746d21e9a38fbbf1c667996b4af887273bc3ec1997e9781f2416ae9c1fc4b13ec3ff7a40a6301210dd3fb7eb8a469d2443eedb0f990e7c5fc6544a13e309

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656363999749.txt

Filesize
62KB

MD5
835f1f60f491eab765cbf1cff0e56588

SHA1
db0cc570ef94b4e687c56bd2ce5190ca1edc7816

SHA256
f34553b4dcc71ba00d5bd71446a8f55220d3e2964de4a59858649e9492271606

SHA512
78ae7c2edd7fec20f4154e3df5399dc375fb674c8bb9e8fd75e54859e36e2263fc944264877dcb23a07f3b132f957de23056016fc13210cb20e39884f53db3b2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662640605367.txt

Filesize
84KB

MD5
4f8877074f719303d5aecd9180d0dc20

SHA1
46708424aa0d6763349a4a07fa0c62ee029ddd30

SHA256
9c4017e2ed89d23ccb3471cebc93881615fb5fb61a9e4a75e02b8f29355fe725

SHA512
3ad46ca6d49e42b8e6d4acdce0a67650c28306762992392ec1ebf9a0ea6a009fcff1a26224559e0bdd887695df1600d4bb5915e9a1bfa778f4f827c996b0c255

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727665714398674.txt.luxy

Filesize
99KB

MD5
26869a1aa954c569f355838c1164fab1

SHA1
c44534847b20881877fb26866065b33af6c1d6e1

SHA256
5109c511fa0c2e03d4fab97f44bd4555d930d57b8c21e84c2ad1c4873990cceb

SHA512
097c5168ce3e6b5979c65a3f816446847f571661c8f1eee6c2eab412d032ca0aec0838981eea5a0e52148d81f9bb83f28a28a8fd07578065b1447ad304fc6e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\GK9X59JWEe.README.txt

Filesize
668B

MD5
793ae0b94e4e412e810b016b2d382d93

SHA1
1336574423c7888fc82b44e829cac361133fa85a

SHA256
c024b5e4d2ac1b76c57a82646107282f0ad71f5a42149c22bb441f651271c43f

SHA512
20d578dce703fdc00189b5825e09179e6741a8b2a91e2ebabe394081373ade1f85dd8bcbceb148a051e45118af7652a7dac2408a1bdad98793e971b193cab8eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hjt1sw55.rjs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1116-48-0x000002E07FDE0000-0x000002E07FDEA000-memory.dmp

Filesize
40KB

Download
memory/1116-66-0x00007FF982040000-0x00007FF982B01000-memory.dmp

Filesize
10.8MB

Download
memory/1116-5-0x000002E07FE00000-0x000002E07FE1E000-memory.dmp

Filesize
120KB

Download
memory/1116-4-0x000002E080070000-0x000002E0800C0000-memory.dmp

Filesize
320KB

Download
memory/1116-1-0x000002E07E0E0000-0x000002E07E124000-memory.dmp

Filesize
272KB

Download
memory/1116-2-0x00007FF982040000-0x00007FF982B01000-memory.dmp

Filesize
10.8MB

Download
memory/1116-2095-0x00007FF982040000-0x00007FF982B01000-memory.dmp

Filesize
10.8MB

Download
memory/1116-0-0x00007FF982043000-0x00007FF982045000-memory.dmp

Filesize
8KB

Download
memory/1116-3-0x000002E07FFF0000-0x000002E080066000-memory.dmp

Filesize
472KB

Download
memory/1116-49-0x000002E07FE40000-0x000002E07FE52000-memory.dmp

Filesize
72KB

Download
memory/1116-65-0x00007FF982043000-0x00007FF982045000-memory.dmp

Filesize
8KB

Download
memory/4708-17-0x0000025C1F930000-0x0000025C1F952000-memory.dmp

Filesize
136KB

Download
memory/4708-7-0x00007FF982040000-0x00007FF982B01000-memory.dmp

Filesize
10.8MB

Download
memory/4708-33-0x00007FF982040000-0x00007FF982B01000-memory.dmp

Filesize
10.8MB

Download
memory/4708-30-0x00007FF982040000-0x00007FF982B01000-memory.dmp

Filesize
10.8MB

Download
memory/4708-6-0x00007FF982040000-0x00007FF982B01000-memory.dmp

Filesize
10.8MB

Download