13d3a1cdba937a0d1dcf706e85b320da66b2cc1ec1193839319511688847abbc

Analysis

max time kernel
299s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24012025_0110_Doc_874009379.vbe
Size

8KB
MD5

608aa4b6781b5333f940f9d0a933313f
SHA1

72282fe231e6e43d0785188e5e8509ff9bd59b8c
SHA256

13d3a1cdba937a0d1dcf706e85b320da66b2cc1ec1193839319511688847abbc
SHA512

3dbf0e3538070a372adb492b771e8360b02f4f3c0cf09092493d0c9bf487eefb26a8ee3a468047f3f36b284f34325e21f6c77b7352ca9e38a20b53c092f2684c
SSDEEP

192:3eS9aNfePvTsC7kYna9INmRo4OCk01bB3K:tsmj7k4aaYRtOCLBa

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2968	WScript.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2820	vlc.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
276	powershell.exe
276	powershell.exe
1324	powershell.exe
1324	powershell.exe
776	powershell.exe
776	powershell.exe
2188	powershell.exe
2188	powershell.exe
2352	powershell.exe
2352	powershell.exe
3032	powershell.exe
3032	powershell.exe
2652	powershell.exe
676	powershell.exe
2652	powershell.exe
532	powershell.exe
532	powershell.exe
1708	powershell.exe
1708	powershell.exe
276	powershell.exe
276	powershell.exe
2404	powershell.exe
1620	powershell.exe
2404	powershell.exe
2564	powershell.exe
2372	powershell.exe
2564	powershell.exe
2872	powershell.exe
844	powershell.exe
2872	powershell.exe
2684	powershell.exe
2684	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2820	vlc.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	276	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	276	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	844	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe

Suspicious use of FindShellTrayWindow 19 IoCs

pid	Process
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe
2820	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2820	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2588	2680	taskeng.exe	31
PID 2680 wrote to memory of 2588	2680	taskeng.exe	31
PID 2680 wrote to memory of 2588	2680	taskeng.exe	31
PID 2588 wrote to memory of 276	2588	WScript.exe	33
PID 2588 wrote to memory of 276	2588	WScript.exe	33
PID 2588 wrote to memory of 276	2588	WScript.exe	33
PID 276 wrote to memory of 1096	276	powershell.exe	35
PID 276 wrote to memory of 1096	276	powershell.exe	35
PID 276 wrote to memory of 1096	276	powershell.exe	35
PID 2588 wrote to memory of 1324	2588	WScript.exe	36
PID 2588 wrote to memory of 1324	2588	WScript.exe	36
PID 2588 wrote to memory of 1324	2588	WScript.exe	36
PID 1324 wrote to memory of 2440	1324	powershell.exe	38
PID 1324 wrote to memory of 2440	1324	powershell.exe	38
PID 1324 wrote to memory of 2440	1324	powershell.exe	38
PID 2588 wrote to memory of 776	2588	WScript.exe	39
PID 2588 wrote to memory of 776	2588	WScript.exe	39
PID 2588 wrote to memory of 776	2588	WScript.exe	39
PID 776 wrote to memory of 2436	776	powershell.exe	41
PID 776 wrote to memory of 2436	776	powershell.exe	41
PID 776 wrote to memory of 2436	776	powershell.exe	41
PID 2588 wrote to memory of 2188	2588	WScript.exe	43
PID 2588 wrote to memory of 2188	2588	WScript.exe	43
PID 2588 wrote to memory of 2188	2588	WScript.exe	43
PID 2188 wrote to memory of 1616	2188	powershell.exe	45
PID 2188 wrote to memory of 1616	2188	powershell.exe	45
PID 2188 wrote to memory of 1616	2188	powershell.exe	45
PID 2588 wrote to memory of 2352	2588	WScript.exe	46
PID 2588 wrote to memory of 2352	2588	WScript.exe	46
PID 2588 wrote to memory of 2352	2588	WScript.exe	46
PID 2352 wrote to memory of 1860	2352	powershell.exe	48
PID 2352 wrote to memory of 1860	2352	powershell.exe	48
PID 2352 wrote to memory of 1860	2352	powershell.exe	48
PID 2588 wrote to memory of 3032	2588	WScript.exe	49
PID 2588 wrote to memory of 3032	2588	WScript.exe	49
PID 2588 wrote to memory of 3032	2588	WScript.exe	49
PID 3032 wrote to memory of 1748	3032	powershell.exe	51
PID 3032 wrote to memory of 1748	3032	powershell.exe	51
PID 3032 wrote to memory of 1748	3032	powershell.exe	51
PID 2588 wrote to memory of 2652	2588	WScript.exe	52
PID 2588 wrote to memory of 2652	2588	WScript.exe	52
PID 2588 wrote to memory of 2652	2588	WScript.exe	52
PID 2588 wrote to memory of 676	2588	WScript.exe	55
PID 2588 wrote to memory of 676	2588	WScript.exe	55
PID 2588 wrote to memory of 676	2588	WScript.exe	55
PID 676 wrote to memory of 1324	676	powershell.exe	57
PID 676 wrote to memory of 1324	676	powershell.exe	57
PID 676 wrote to memory of 1324	676	powershell.exe	57
PID 2652 wrote to memory of 2920	2652	powershell.exe	58
PID 2652 wrote to memory of 2920	2652	powershell.exe	58
PID 2652 wrote to memory of 2920	2652	powershell.exe	58
PID 2588 wrote to memory of 532	2588	WScript.exe	59
PID 2588 wrote to memory of 532	2588	WScript.exe	59
PID 2588 wrote to memory of 532	2588	WScript.exe	59
PID 532 wrote to memory of 1156	532	powershell.exe	61
PID 532 wrote to memory of 1156	532	powershell.exe	61
PID 532 wrote to memory of 1156	532	powershell.exe	61
PID 2588 wrote to memory of 1708	2588	WScript.exe	62
PID 2588 wrote to memory of 1708	2588	WScript.exe	62
PID 2588 wrote to memory of 1708	2588	WScript.exe	62
PID 1708 wrote to memory of 1020	1708	powershell.exe	64
PID 1708 wrote to memory of 1020	1708	powershell.exe	64
PID 1708 wrote to memory of 1020	1708	powershell.exe	64
PID 2588 wrote to memory of 276	2588	WScript.exe	65

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24012025_0110_Doc_874009379.vbe"
1⤵
- Blocklisted process makes network request
PID:2968

C:\Windows\system32\taskeng.exe
taskeng.exe {420BFA46-0262-43A1-9809-88F37599418C} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\MGarnpObOtlJFvM.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:276
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "276" "1244"
      4⤵
      PID:1096
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1324" "1244"
      4⤵
      PID:2440
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:776
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "776" "1244"
      4⤵
      PID:2436
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2188" "1240"
      4⤵
      PID:1616
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2352" "1240"
      4⤵
      PID:1860
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "3032" "1248"
      4⤵
      PID:1748
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2652" "1180"
      4⤵
      PID:2920
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:676
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "676" "1132"
      4⤵
      PID:1324
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:532
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "532" "1240"
      4⤵
      PID:1156
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1708" "1244"
      4⤵
      PID:1020
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:276
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "276" "1244"
      4⤵
      PID:1200
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2404
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2404" "1236"
      4⤵
      PID:2384
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1620
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1620" "1132"
      4⤵
      PID:2212
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2564" "1232"
      4⤵
      PID:2008
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2372
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2372" "1132"
      4⤵
      PID:1560
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2872
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2872" "1176"
      4⤵
      PID:2656
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:844
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "844" "1132"
      4⤵
      PID:2704
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2684" "1236"
      4⤵
      PID:1404

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SaveDisconnect.M2T"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259495149.txt

Filesize
1KB

MD5
a0f5527a0dfbfd905f546a064ea63dc4

SHA1
fbf00907c6b39419f0e729b034f73bac8e2dc0a6

SHA256
209a8328b32b5bddd297cab6d4086eca869d13f7820cfaf240b47950d89e3359

SHA512
e0c4c0199a9023855d20095b4ab862e399289ce5698dd3658f37c3dc8b0d8be686c415dd83bbac3be8c3370603c56312530353b6938b5f87154d1568a712f4db

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259511716.txt

Filesize
1KB

MD5
f0ca25aca469f2228ef1146bdd4d4278

SHA1
24e36753de33c38c0e133409a60dec8cb8ac7336

SHA256
2f4c532cb7a37c63d5be82227814d301de95853c99c161b0b945256172c72fe7

SHA512
bbf4eca22ad8bccd8c86eb34f6bfa2ef9344049ed8b2d6b1da3128b42ea39bab3e4332fcb36034bbe5c8ef195d718ee9696165e30838ded5915531c58d3f271c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259524671.txt

Filesize
1KB

MD5
d42786bf7b24c6569b57615c32367f25

SHA1
0a477f9ac92b9c0a606a2a0565b6cf1733df4e10

SHA256
44228a2252cd6e567c7035db631ffa67e81ad7ab6fbf08a6dd81ad244fbde4c0

SHA512
d76b7fc827a0fcb4dbc633f66e3839751b99f9d67762f3677fc5f59c15b60708b2334b742ecca0bf66a5b0acc5c4ce02c81998bcaef3ede8aa5dc48d0cfc93a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259542378.txt

Filesize
1KB

MD5
05630ed887994386115ca0b587854182

SHA1
354eae1c442dd4a900c5dd43679baf71cc99dad6

SHA256
e8fe33c80756d40e251e241a5bf45b5a3882a28871f26e004d4c9087659068f9

SHA512
3bb347bb12bac12f63d456ec28340979d67df0a7790b4eda738ce3612fd551e3305f9ef562767f02858b0bee462bad674a300c0f16bed81df897fdb97a61d8f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259557629.txt

Filesize
1KB

MD5
7f04a86c231d616f933b15eeac543c04

SHA1
4ef9ea8a76a97ca19e5dfe8a7bf1d8b2d19d1c36

SHA256
2c7766ffc96eaa85e2f373c35795c002ce189caa99d65713b3652506847b4623

SHA512
b8aabd12d8757ff098c718e46ba93eff4dd7c703c37a4aca3291913757583bf9ced67a27f03b15026150a2253a676aea772551558ea9ae45fe77efaa73ea8c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259569491.txt

Filesize
1KB

MD5
3212aba0aaa853d1f57b123f3761a3fc

SHA1
dd909735d5a1a506752190d9fc6cb4d52b053bd3

SHA256
1b4f563b2f38266849654ec1ed9ebd0d349bdd8008812e9fb79a39d8a2f90368

SHA512
c7d9e385f448fb73065930a779e6ecd58230861525d9dd0b9559e52e5f95c9b754c40527c60c999741063bedb843e9b5c41152ed1df56047f56c5987c470220f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259600773.txt

Filesize
1KB

MD5
8aa6633c9151e4737ba7e964e44742ad

SHA1
53c8211942a43916b037bc79b87de798acdbfe2d

SHA256
15e2b0220a5b6fcd38a842fea4b4a31570198883dbf80a518b6ea3386d71b344

SHA512
830e378043ba897df8af1c56d9a97f0e496f4c1ab1835d494788ec84d1670aafe80aba6197189f480faba0ef755d4af9ce707871f7098a5c3aaebf5c96302eb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259602797.txt

Filesize
1KB

MD5
bcd5629dea3d04bfbd2920e335568c2d

SHA1
71b65cc4d13ba1cc418c60de3f0ddb4042ce601a

SHA256
8d619c9b48f912de055342dca36c5dea36faafcc3ce0ea4542f1dcb703996a2a

SHA512
6765a9d7f2f2fb9902d0c0663eb8158d3296c85de1011c1d3060c1ce1956769889cb369b29fe4aaa0cb7a34a9abd0f68819edd094bec66e4af0c2578b66f2dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259616583.txt

Filesize
1KB

MD5
121a00a24b2a833376887e090bfd0f0b

SHA1
650af7eb15ad3e4d373c44e6220eb62584523253

SHA256
2c36dc5b56e4f221e3acdb0129d15b0ba2dcfc166f86de9c791e87a42835c7d6

SHA512
bcec89b6b1ddddd69ca7a7d1c4461c026f8bd881300212ff68c9d4021d31fa1deda4348a6aa92397c9ba2152310cc5b0e4038fa4e54302687498036697246e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259632720.txt

Filesize
1KB

MD5
eb0610afcf992cbcc6ce5e60d3820dce

SHA1
eed32b5f984c7af07e3ff3339917318231aeaa11

SHA256
1d5bb44149d9286aa3a4b3f8e6ad1c37ff64099ca14f961a43aa606fb6b667e4

SHA512
94e45f6d9dfea710394c8efffaa371b066a4a88ca7a916752e85b2aab1d62a8427f4a5d159ea63915e0382e297b817cd4dd418f87d1da8d16550a15059825325

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259646126.txt

Filesize
1KB

MD5
1ab118856a56e14dffe485e82ebf986f

SHA1
3f0d653fc9c4393de33bf57b0d3816b2b1febd19

SHA256
072192fedc50c6b58582319161549f3a9b7c9594e9d88b4cad3a7cbd73f15ef2

SHA512
864a5ec4467cb54301c051955cf01815ff38a2f362ac8e742aa44951ba7523499d47e0274ec94bee411aa467f576ff97c53d7af3b9d8659a739ca4320117bdf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259674272.txt

Filesize
1KB

MD5
5f48108b82cc35ed818cbf866b101e8c

SHA1
ab0c896e81efd8e7453f6ff29926fd5c8af62d80

SHA256
cb82195ecd143c2f17500f9748f43933f1ae6630dff78c37f552f85e2dfe6b60

SHA512
f6479710aea74c681b12b4bc0e4f7e7318d2223b6ee28f19079bb9e8f13520f982fdebf1c9a1580bbcd0d250b96954e8470c869c3730a7aca5e6fa22e1de0dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259678096.txt

Filesize
1KB

MD5
f01de97fb9d47e2bbc459b196789aedc

SHA1
84f34842e648ca167b76c3348139e52caca91e10

SHA256
55bdba70e8e6af206742d55a0f45f62a533f54ea08b6361a8269e9753da4390d

SHA512
eb1c83e2f211d22c432f3020bb943d310a9f5076a8e45cb6dc6399e29ce9339c8153fc9b0a9392a583af62e5cb24fad22d5fb7bc96a5afbc0bcd649ed06e363d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259704055.txt

Filesize
1KB

MD5
8c7b46481d6e2476bbdd146bd5352c8b

SHA1
4a1c8e61f1a2dd6006db8864e3d75142dbb470eb

SHA256
e872ae2115233b4ba82ed0059ee10a3caac752e2ca999f576482e45259f40456

SHA512
6e0648e4e8007688ccdef677c3f46847e80f78a52e59523ac57ed81f69e31abed4e3ac28f987e70540538d4e07467e5ecf834bea4ad1ba30b8cdc3cedea361c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259704743.txt

Filesize
1KB

MD5
31616e17164414abdae76cdabdc2ce97

SHA1
a1bb856bca69b6a9168bb644d71b5aebd14a010c

SHA256
1b4bc613462f3f39b9d598eab229feb80d2f03da0aa815a96fdfe629ce1f1aba

SHA512
9bd17a22d8aff5b090aab2adb1f3bff6aa4a28591c6fe51aff77ed3d72342e8c976a4c7bd2e7625c35efd5fb0553b0085c1804e7f8aa57496a1c009ea8d2677a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259737469.txt

Filesize
1KB

MD5
efd54ef445032860774bc0fff9edde64

SHA1
82086f3b652911d5d32a21d597c522b39622b563

SHA256
2ec609691f2db557af1f7c4bda70077dce2686c041003982004688d20f6bab64

SHA512
af739355eb72634afc37feeda858bca1c4fb7ef3985165271c4e2e012f357e2194a73b8366344515c1462b8f14b8b0a293ee8398b409de9390161e33d19f39f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259739401.txt

Filesize
1KB

MD5
e739e85d93952f7b321ebb2042aeea3f

SHA1
e7aa5947c02e432a6930ea358aea38f0911c0d79

SHA256
ce72c35746a525153c1e61afffd7376fd4f2156691eabe29653ef4f8a219e9ca

SHA512
fe658c93f66786ca0f4f4baea4f657dfcaf61605f2c35a1dd404a64d5eb06b4df9356002835661f5399d47ea27ec6d98626ede12feeff8316601dea54dbbad4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259749351.txt

Filesize
1KB

MD5
5d55e4adabab25c1acda781c3aa745dd

SHA1
874d4be074862d323cc9623d136c02354d08f3db

SHA256
1d5ca9ba82f6653d18ede5da07c115bc1a98f1b8abdd488de2bf6668c0569679

SHA512
8bcf3cb609863e680bce3300c7aaf5f3296e36658e61cee8bc030e39c90f40ee5bf4810459a7ab03ea4951d36c8181b5375dbcac479d5c0ff4edf1dcc7b09b65

Download Submit
C:\Users\Admin\AppData\Roaming\MGarnpObOtlJFvM.vbs

Filesize
2KB

MD5
6892edb9f965b62befb2ef9a8b583b55

SHA1
fa825f6f1639d4f7a58e4b6a0e3d3b016a5194cf

SHA256
0dae80f252e22ede7270ecb5ee2142b9d711479595c71279201738b539d934c6

SHA512
e6ef2854016748f997e7a251f2a9e6cbe71906dd4f30bd72bc3478d08771a9261afd7a7ed1b52968135ea657f9c6886d0cb9b6e36a382db4f800fccebf09ecbd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
742f5f69790e0e13eaf5d947f564579c

SHA1
d986d1d8622e5f40127f04e4b4622da300ce9ad5

SHA256
95dba2d7ca4b850460120b3e5b299262ccd4886afc96c8135762d1480fd474c3

SHA512
e212e0f49f8e4ccf2ead407a77541cb6714ee06ddc9fda93e951fd870288ea37309ee8b1dca35473e8fe4742c2a0a7a8d2746c49a78247406c346cf5dd3a364a

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.em2820

Filesize
79B

MD5
37a0897dbe04578fb0f8380d0c15dc61

SHA1
b4a124b96d0a64e9282172a274aa62515ad999e8

SHA256
c2868e295ee512f6f6365deb8c48aa9b952e6470729e2c76e5c4044a2fa41a29

SHA512
e69ad28178da7fb36f30c84d86681ab8ef291a3bcc06672d905fca74768883fba4920d7b872906613d6db9d47eb201d589fdb289953d2d415b5812b2843d31e0

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlcrc.2820

Filesize
94KB

MD5
7b37c4f352a44c8246bf685258f75045

SHA1
817dacb245334f10de0297e69c98b4c9470f083e

SHA256
ec45f6e952b43eddc214dba703cf7f31398f3c9f535aad37f42237c56b9b778e

SHA512
1e8d675b3c6c9ba257b616da268cac7f1c7a9db12ffb831ed5f8d43c0887d711c197ebc9daf735e3da9a0355bf21c2b29a2fb38a46482a2c5c8cd5628fea4c02

Download Submit
memory/276-8-0x0000000002910000-0x0000000002918000-memory.dmp

Filesize
32KB

Download
memory/276-7-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/276-6-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/1324-17-0x0000000000570000-0x0000000000578000-memory.dmp

Filesize
32KB

Download
memory/1324-16-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2820-74-0x000007FEF28C0000-0x000007FEF28D1000-memory.dmp

Filesize
68KB

Download
memory/2820-83-0x000007FEF22B0000-0x000007FEF232C000-memory.dmp

Filesize
496KB

Download
memory/2820-75-0x000007FEF28A0000-0x000007FEF28B1000-memory.dmp

Filesize
68KB

Download
memory/2820-73-0x000007FEF28E0000-0x000007FEF28F8000-memory.dmp

Filesize
96KB

Download
memory/2820-72-0x000007FEF2900000-0x000007FEF2921000-memory.dmp

Filesize
132KB

Download
memory/2820-77-0x000007FEF2860000-0x000007FEF287B000-memory.dmp

Filesize
108KB

Download
memory/2820-80-0x000007FEF27F0000-0x000007FEF2820000-memory.dmp

Filesize
192KB

Download
memory/2820-91-0x000007FEF0730000-0x000007FEF0742000-memory.dmp

Filesize
72KB

Download
memory/2820-81-0x000007FEED300000-0x000007FEEE3B0000-memory.dmp

Filesize
16.7MB

Download
memory/2820-92-0x000007FEEECF0000-0x000007FEEED07000-memory.dmp

Filesize
92KB

Download
memory/2820-90-0x000007FEF0750000-0x000007FEF0761000-memory.dmp

Filesize
68KB

Download
memory/2820-89-0x000007FEF0770000-0x000007FEF0793000-memory.dmp

Filesize
140KB

Download
memory/2820-88-0x000007FEF07A0000-0x000007FEF07B8000-memory.dmp

Filesize
96KB

Download
memory/2820-87-0x000007FEF2280000-0x000007FEF22A4000-memory.dmp

Filesize
144KB

Download
memory/2820-86-0x000007FEF27A0000-0x000007FEF27C8000-memory.dmp

Filesize
160KB

Download
memory/2820-85-0x000007FEF1BF0000-0x000007FEF1C47000-memory.dmp

Filesize
348KB

Download
memory/2820-84-0x000007FEF27D0000-0x000007FEF27E1000-memory.dmp

Filesize
68KB

Download
memory/2820-71-0x000007FEF3A00000-0x000007FEF3A41000-memory.dmp

Filesize
260KB

Download
memory/2820-82-0x000007FEF2330000-0x000007FEF2397000-memory.dmp

Filesize
412KB

Download
memory/2820-78-0x000007FEF2840000-0x000007FEF2851000-memory.dmp

Filesize
68KB

Download
memory/2820-79-0x000007FEF2820000-0x000007FEF2838000-memory.dmp

Filesize
96KB

Download
memory/2820-76-0x000007FEF2880000-0x000007FEF2891000-memory.dmp

Filesize
68KB

Download
memory/2820-69-0x000007FEF2930000-0x000007FEF2B3B000-memory.dmp

Filesize
2.0MB

Download
memory/2820-70-0x000007FEF3A50000-0x000007FEF3A61000-memory.dmp

Filesize
68KB

Download
memory/2820-63-0x000007FEF86D0000-0x000007FEF86E8000-memory.dmp

Filesize
96KB

Download
memory/2820-62-0x000007FEF7480000-0x000007FEF7736000-memory.dmp

Filesize
2.7MB

Download
memory/2820-65-0x000007FEF7420000-0x000007FEF7431000-memory.dmp

Filesize
68KB

Download
memory/2820-66-0x000007FEF3AB0000-0x000007FEF3AC7000-memory.dmp

Filesize
92KB

Download
memory/2820-68-0x000007FEF3A70000-0x000007FEF3A8D000-memory.dmp

Filesize
116KB

Download
memory/2820-67-0x000007FEF3A90000-0x000007FEF3AA1000-memory.dmp

Filesize
68KB

Download
memory/2820-64-0x000007FEF7860000-0x000007FEF7877000-memory.dmp

Filesize
92KB

Download
memory/2820-60-0x000000013FAD0000-0x000000013FBC8000-memory.dmp

Filesize
992KB

Download
memory/2820-61-0x000007FEF8400000-0x000007FEF8434000-memory.dmp

Filesize
208KB

Download