2c41808826974a0fdd3c7b27850143cad077a79e0cf69c011da495d6abee679a

Resubmissions

24-11-2024 19:42

241124-yexs5s1rgq 10

24-11-2024 09:24

241124-lc6xtatmay 10

Analysis

max time kernel
94s
max time network
206s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe
Size

254KB
MD5

09b5f5200e59d3a4623d739661ce9832
SHA1

8cfecf1996164ea98bbffbedc951b740cb35ca94
SHA256

a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323
SHA512

932448936c0e6e48ad059b4b224ba94e723f771d7d31f0e183f65ab46fff18ff01d5f7185a30258a1c46c7777677c4f2defefcc1db2645f732f3c13bb98b5977
SSDEEP

3072:nl6lh5pdDkFgvGRPLYYhmB218CdV3GB9Qr8lWmN5PSRs5CMMXQFPml5gdN+98bep:oj7ToPpmBHi2B9mXx98beF+LUDj0YUk

Score

10^/10

credential_access discovery execution ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\kfTI4VSMNo.README.txt

Ransom Note

ATTENTION! Don’t worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that’s price for you is $490. Please note that you’ll never restore your data without payment. To get this software and key you need join our server discord: discord.gg/ Personal ID: e88a31ebd82443eb8532dac5e89f5044

Signatures

Renames multiple (969) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4056	powershell.exe
3576	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
20	discord.com
24	discord.com
19	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com
16	ipinfo.io

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1292	wmic.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5024	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3576	powershell.exe
3576	powershell.exe
4340	powershell.exe
4340	powershell.exe
4056	powershell.exe
4056	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1848	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe
Token: SeDebugPrivilege	3576	powershell.exe
Token: SeDebugPrivilege	4340	powershell.exe
Token: SeIncreaseQuotaPrivilege	2728	wmic.exe
Token: SeSecurityPrivilege	2728	wmic.exe
Token: SeTakeOwnershipPrivilege	2728	wmic.exe
Token: SeLoadDriverPrivilege	2728	wmic.exe
Token: SeSystemProfilePrivilege	2728	wmic.exe
Token: SeSystemtimePrivilege	2728	wmic.exe
Token: SeProfSingleProcessPrivilege	2728	wmic.exe
Token: SeIncBasePriorityPrivilege	2728	wmic.exe
Token: SeCreatePagefilePrivilege	2728	wmic.exe
Token: SeBackupPrivilege	2728	wmic.exe
Token: SeRestorePrivilege	2728	wmic.exe
Token: SeShutdownPrivilege	2728	wmic.exe
Token: SeDebugPrivilege	2728	wmic.exe
Token: SeSystemEnvironmentPrivilege	2728	wmic.exe
Token: SeRemoteShutdownPrivilege	2728	wmic.exe
Token: SeUndockPrivilege	2728	wmic.exe
Token: SeManageVolumePrivilege	2728	wmic.exe
Token: 33	2728	wmic.exe
Token: 34	2728	wmic.exe
Token: 35	2728	wmic.exe
Token: 36	2728	wmic.exe
Token: SeIncreaseQuotaPrivilege	2728	wmic.exe
Token: SeSecurityPrivilege	2728	wmic.exe
Token: SeTakeOwnershipPrivilege	2728	wmic.exe
Token: SeLoadDriverPrivilege	2728	wmic.exe
Token: SeSystemProfilePrivilege	2728	wmic.exe
Token: SeSystemtimePrivilege	2728	wmic.exe
Token: SeProfSingleProcessPrivilege	2728	wmic.exe
Token: SeIncBasePriorityPrivilege	2728	wmic.exe
Token: SeCreatePagefilePrivilege	2728	wmic.exe
Token: SeBackupPrivilege	2728	wmic.exe
Token: SeRestorePrivilege	2728	wmic.exe
Token: SeShutdownPrivilege	2728	wmic.exe
Token: SeDebugPrivilege	2728	wmic.exe
Token: SeSystemEnvironmentPrivilege	2728	wmic.exe
Token: SeRemoteShutdownPrivilege	2728	wmic.exe
Token: SeUndockPrivilege	2728	wmic.exe
Token: SeManageVolumePrivilege	2728	wmic.exe
Token: 33	2728	wmic.exe
Token: 34	2728	wmic.exe
Token: 35	2728	wmic.exe
Token: 36	2728	wmic.exe
Token: SeIncreaseQuotaPrivilege	1156	wmic.exe
Token: SeSecurityPrivilege	1156	wmic.exe
Token: SeTakeOwnershipPrivilege	1156	wmic.exe
Token: SeLoadDriverPrivilege	1156	wmic.exe
Token: SeSystemProfilePrivilege	1156	wmic.exe
Token: SeSystemtimePrivilege	1156	wmic.exe
Token: SeProfSingleProcessPrivilege	1156	wmic.exe
Token: SeIncBasePriorityPrivilege	1156	wmic.exe
Token: SeCreatePagefilePrivilege	1156	wmic.exe
Token: SeBackupPrivilege	1156	wmic.exe
Token: SeRestorePrivilege	1156	wmic.exe
Token: SeShutdownPrivilege	1156	wmic.exe
Token: SeDebugPrivilege	1156	wmic.exe
Token: SeSystemEnvironmentPrivilege	1156	wmic.exe
Token: SeRemoteShutdownPrivilege	1156	wmic.exe
Token: SeUndockPrivilege	1156	wmic.exe
Token: SeManageVolumePrivilege	1156	wmic.exe
Token: 33	1156	wmic.exe
Token: 34	1156	wmic.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 3576	1848	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	84
PID 1848 wrote to memory of 3576	1848	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	84
PID 1848 wrote to memory of 4340	1848	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	86
PID 1848 wrote to memory of 4340	1848	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	86
PID 1848 wrote to memory of 2728	1848	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	112
PID 1848 wrote to memory of 2728	1848	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	112
PID 1848 wrote to memory of 1156	1848	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	91
PID 1848 wrote to memory of 1156	1848	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	91
PID 1848 wrote to memory of 3904	1848	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	95
PID 1848 wrote to memory of 3904	1848	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	95
PID 1848 wrote to memory of 4056	1848	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	97
PID 1848 wrote to memory of 4056	1848	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	97
PID 1848 wrote to memory of 1292	1848	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	99
PID 1848 wrote to memory of 1292	1848	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	99
PID 1848 wrote to memory of 5024	1848	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	109
PID 1848 wrote to memory of 5024	1848	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	109

C:\Users\Admin\AppData\Local\Temp\a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe
"C:\Users\Admin\AppData\Local\Temp\a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4340
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:3904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4056
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:1292
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\kfTI4VSMNo.README.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5024

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\CURRENT

Filesize
24B

MD5
01a58ea191ffccaf52859f742fd199bd

SHA1
02d71dbaf7d0400ec010440fc7abd76cc00b7e6b

SHA256
d705135e4ba045cbd4942d884f3cde200cf77fa97f71386a27cfb59ce8ed0e6c

SHA512
eac65ca1968d67f3b55427819fbba46885ec85a9e4bd8b5412ba3acb6771a400cc77cf5d1cb722382e4a65b3cba9d95163d012b0e3eaeeef6b3349c877cf0993

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000001

Filesize
64B

MD5
dabfe0627768d4bba02ad8a80413cce2

SHA1
3dfc34ddc8223ba46ac68bd84f76922c63a3fc1a

SHA256
706f4b9c8135b978a61d10785e9c658eb08eb015f144a831087ce0606db3534a

SHA512
e116389e050ae4c6f841a73988b0c2b7f5ff5b4ef3f2a3ce76b4cf7b1b7df3620e22d1b1cff526afc819cc66a0c566641d0a0936f4ee63deae0054f6cb19414a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index

Filesize
44B

MD5
aa14e99b7722643683c42d445d27d177

SHA1
3a8b92690912382839a7cdd313899466380d717f

SHA256
d88e8167aab3b11b1d5f132a02c0bf5198c095fbf8f65d4384871fb53bce6bdf

SHA512
79c0252b49134e83c27a2b0ed5b2938b244cae64ead6020da1b2a22cfa140ddda5ab28ea0b6fe1a44bb348a614eedf95c0a38f0a8b764c71188735ed5d9d610e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_0

Filesize
10KB

MD5
ab47ccc82d20d43df9ca012b380760df

SHA1
c26ed336879dd32508b373c101840964c6cf45da

SHA256
a11650188194d3a15ff2cfb49e6338e73a3d37d4705c0f9ed514ac09c09a5014

SHA512
daf31b5d6e292a697b30d31109c03a2a746b855016c534a2cdd5efedb1dd31e1c4a8feda1f46526319edb051a1ce4bdc07c81b5501c69c1f3c424eb23948c1e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_1

Filesize
352KB

MD5
0f209d4a07fa8824f23965826d46ac8c

SHA1
bf6c2ed42256c4af85c8dfd0a37a05c2c8df4704

SHA256
bc2b511f6280f3547b18937b99c0d4b22fe77ee05a458c4c8a7fca1941625687

SHA512
056a70990e177b0f1468d37e8e498ad2a5fe2236452273309cf36f85fcf83c117fbc35cf85b71b3a80c88fde2aa762b448819e326e4f5eb69e0007342225c060

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_2

Filesize
10KB

MD5
8b5972896255be72cff2937563a53b34

SHA1
93fc9d03d71b5deee37b3fd0431fec90de9800fd

SHA256
b008482bf08782ba728ba05373ca6247c2ad045d37a67db77acf97735a6c8416

SHA512
673c1644055e94269fc8eda3b0829d65f35587e58033f502e65fba1d6d71e066d339c24216b4653fe6f71bc39056399e2110ea0bd229e186af67c4858a5748ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_3

Filesize
10KB

MD5
b02507ef11205f446954b83e9ba7d825

SHA1
60b75ac727618a205e5c30c1665a406970c9bc92

SHA256
28cc47de854c33d37f280d5d711483aea5ef9a551180b5873c14979171148716

SHA512
3f2380b5d689029f68463da2bea61ab7816c4ea6cae21eea586fab76e7473f47865a6ca02d0e6182e4083a9ed7f2cbb7542a8f4a696e27f5e679c8e12fd17e22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
88B

MD5
2d2d919031877eb2f30f5328033695d5

SHA1
d01fba1c25893ea4ed33fc41652d60f3eaaa363e

SHA256
99115c0d8e5abcadac1501f52099ed2017aed8ba327582cbdec2b4f0618cb966

SHA512
70a7b44e8fe53b2f7d3e945eb78c1aeb9f47c80b837a2dd245e502e1611e2d450aeffe999871ca6535699af9b3947fd08feb78e0a80fafe18a648226c2bdfa01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6317adf4fbc43ea2fd68861fafd57155

SHA1
6b87c718893c83c6eed2767e8d9cbc6443e31913

SHA256
c1ead17eef37b4b461cedc276504a441489e819c7f943037f2001966aeec90af

SHA512
17229aae8622e4bfc3caaac55684f7d4ccd3162af5919c851b1d8ac4060b6bb7b75044ecee116523d05acb55197dcb60780958f629450edef386f1e6f65f49f0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Explorer

Filesize
48KB

MD5
17402f07f5b2609b311dd784ec1a874b

SHA1
f6d19a1c191a008f4e27daba5a0e84813692acae

SHA256
9419078965627aa345ef86652a9cc08a2f91ffc4fa92a5da51c9d2b673572204

SHA512
0a37a0e0766a98d6108ef43a4e1346b0b9a50771f324512b24cce43a493d726e83dcd90abb69b4be0c23b71935decae125bb9f85ad2db1f5b7cfea8951014a59

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\https___java_com_help

Filesize
48KB

MD5
0ab748b586cb1f191741d134f77bb874

SHA1
031ee283ed1f459d73f177a0aaabb5d4cfaf622d

SHA256
d018f294d87df18b7c792cf215029f65f16b42be6410760c811249c84dd28f1e

SHA512
3644e256ac1a0f94a5ef0230c701d4363741779148c468f4fa463c8b0f9f9fecc031f90289186bb38c9b190b8d761e55da452697f7fd5b39a9a88753554817fe

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_VideoLAN_VLC_VideoLAN Website_url

Filesize
48KB

MD5
8ba0d9d4e901f9fd02503261277c1177

SHA1
f79bb4e783327d174fb27f0841d8ec8bd40108bb

SHA256
470ecbf5f8b75c2b2cfa01ed8cbf0d5dfe23b3bfadae9dc8ae870da3ff8f513b

SHA512
d84788924d89d64a4f4f9ebf70cf4bf2dc30c24d62b3ee830698fc63294e41e142cee078c34dbea1decbaf1d4c8371099adeca8a1d7f24f2f91ba8a10d3c92bb

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_VideoLAN_VLC_vlc_exe

Filesize
48KB

MD5
b4c98bdbc8e0b8f1ca8c82cf90bf9ab2

SHA1
a1e92dd5f6783246121bc552464c0bafc15452cb

SHA256
6905fdf1bca08a2e7f0e43559935c49c6673459c9514a4a6f354be691ea17209

SHA512
f4f70a65fa4c190839b1cd11c8edc1533a4ef9f295e66b7c01feab2fdf14079fcd6403ea6af110ab38c813edccd8c3132302e4c7cc0605dbb9e28615ac564a9d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{eadb07bc-cb9d-412b-8cb4-625d4a097a7a}\0.1.filtertrie.intermediate.txt

Filesize
24B

MD5
94a1bb2b0dcb4879003188cc3b03ff4d

SHA1
141af24c8da6594ecd686b975a5fb71eb950a750

SHA256
a7d614891dbc643f7353034a4fdcd974edd9d38f105df370347bb1abbafe941d

SHA512
2233baa9e38c58254eb0e4f817e5dbc65ea32c73a5eadfccd3cbd3b8d65787672fed8dbb90a159efee22d6cf91ececc4d2641e438a91bf8e8fe9596f8dd9481d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{eadb07bc-cb9d-412b-8cb4-625d4a097a7a}\0.2.filtertrie.intermediate.txt

Filesize
24B

MD5
634d4b3ae4f3c127f3816236146356fa

SHA1
553a17151b111d32c36f0f5c6b4b6a912c3a66c7

SHA256
262d9ae48644b95f911931985ffc8861e48904697888b76b16a8cc8a2453d26e

SHA512
89a24d38dd9271babc8316222f6b7619a3524381e1eb5d77bf14c43ec7066a1fd229a133f321d6d1a926205401ccf472d16bad27192c65d18cf3007055034054

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727661992394667.txt

Filesize
103KB

MD5
a9757fd949fe66503e916a3e0931d0c3

SHA1
5b786ce56c465b504212c9e237e39e4d45663ef7

SHA256
449950a765797149c39ba3afd65e1116aca12e8cd291154483012bc14bebd4c2

SHA512
c1e38fd6d6a1ec884b994f1198050bbc7ed28c719502f1e08f3a7f73bfb848e3fa0bfa591731ea1bf14298777539998e503a3c645845048bb178bcd966d16367

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662487357744.txt

Filesize
62KB

MD5
82b85935726a102c3a7261ca53eda0b4

SHA1
317e5b378408609c1c89834dbaf4ff7ef575dc14

SHA256
c352353b4e72871e7e7862f340af5dadee6a9527c7e13e139a7763d7e4a6a4bc

SHA512
8eb27f95f967417a8a75019784684b906be91cb02273fb0c912817872a2fef233c69695ce68a1bac6c13f4dc1834438c41915bbbb3faad324e877f553ec3892d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727667722373689.txt

Filesize
84KB

MD5
12345bf702b23c100fd3620023143807

SHA1
4eb67450fcfbf055b27115be6e281e80f9a1df64

SHA256
d49a79dfdf57e5c0c89b6c5e8fe2e3879d1d248dd364ea5df17dd2aa89b204c1

SHA512
45006ab4daea30a6fb3741c15e0e6e8d71b3d75b13cd9523d7a09e3aafdabfad3ca626a8f9fa953f0d8cff663e5f6fc40e7074744c226c97851e0e5281c5fc06

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727670771168387.txt

Filesize
99KB

MD5
e2481e5f518e59eedcb6eb0bdd680bde

SHA1
a206336cd44ee8dcc309fd5e2e7aa275fd1a2818

SHA256
dc745d065e5a20ad7c30eaea677421f201c5836d708e7526dee7699b9ee8225f

SHA512
4a66a537aa59b48edba0057ef117f7d8358453e9855e92a5f3c2e9845e0cb86a8190b750a851ef012ed5a4aea20c64cbbb1d55133229d21991639fc9a8fc58ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nlawy0zw.olt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kfTI4VSMNo.README.txt

Filesize
668B

MD5
a394f1b92b98c179bb938cae9e8e3df1

SHA1
ba927eea9781da902773ca530af62c43972cc7cb

SHA256
be746ee9dedc2863502a16370ad33c992d6ee13d1bdcaac56465ed3669dccaba

SHA512
913dad7ae0376b93e02e576165acf1ab71e98039a54d8584ed68bdab32d8887085566769a0d25426276bad2a0190a83ca1d4ca6a46f73181e78ddff7204c7c6f

Download Submit
memory/1848-1152-0x00007FFE2E223000-0x00007FFE2E225000-memory.dmp

Filesize
8KB

Download
memory/1848-46-0x00007FFE2E220000-0x00007FFE2ECE1000-memory.dmp

Filesize
10.8MB

Download
memory/1848-3-0x000001F97F290000-0x000001F97F306000-memory.dmp

Filesize
472KB

Download
memory/1848-1197-0x00007FFE2E220000-0x00007FFE2ECE1000-memory.dmp

Filesize
10.8MB

Download
memory/1848-50-0x000001F97F160000-0x000001F97F172000-memory.dmp

Filesize
72KB

Download
memory/1848-4-0x000001F97E8B0000-0x000001F97E900000-memory.dmp

Filesize
320KB

Download
memory/1848-2-0x00007FFE2E220000-0x00007FFE2ECE1000-memory.dmp

Filesize
10.8MB

Download
memory/1848-1-0x000001F97CAB0000-0x000001F97CAF4000-memory.dmp

Filesize
272KB

Download
memory/1848-2116-0x00007FFE2E220000-0x00007FFE2ECE1000-memory.dmp

Filesize
10.8MB

Download
memory/1848-2114-0x000001F97F4A0000-0x000001F97F649000-memory.dmp

Filesize
1.7MB

Download
memory/1848-49-0x000001F97F130000-0x000001F97F13A000-memory.dmp

Filesize
40KB

Download
memory/1848-0-0x00007FFE2E223000-0x00007FFE2E225000-memory.dmp

Filesize
8KB

Download
memory/1848-5-0x000001F97F340000-0x000001F97F35E000-memory.dmp

Filesize
120KB

Download
memory/3576-33-0x00007FFE2E220000-0x00007FFE2ECE1000-memory.dmp

Filesize
10.8MB

Download
memory/3576-30-0x00007FFE2E220000-0x00007FFE2ECE1000-memory.dmp

Filesize
10.8MB

Download
memory/3576-28-0x00000217062A0000-0x00000217062C2000-memory.dmp

Filesize
136KB

Download
memory/3576-7-0x00007FFE2E220000-0x00007FFE2ECE1000-memory.dmp

Filesize
10.8MB

Download
memory/3576-6-0x00007FFE2E220000-0x00007FFE2ECE1000-memory.dmp

Filesize
10.8MB

Download