phobos | e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0

Analysis

max time kernel
109s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-06-2023 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9769c181ecef69544bbb2f974b8c0e10.exe
Size

281KB
MD5

9769c181ecef69544bbb2f974b8c0e10
SHA1

5d0f447f4ccc89d7d79c0565372195240cdfa25f
SHA256

e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0
SHA512

b3da8fea6ee5d6b67f55a4043f18d7325f1700c9f3dcb0e7cbf21f49ebdbb56b5a10a2d03153d0dfb1e8dc34db20cdea0236c448f2c361fadbabf9a6f59b4c7a
SSDEEP

3072:Z5SXIMALRKEttgCWAbi1D1fJmxIV0BN3omE9MA5yXsztcJe9:GIMpEtCCWAbiBRmE9o6

Score

10^/10

phobos smokeloader backdoor collection evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://serverlogs37.xyz/statweb255/

http://servblog757.xyz/statweb255/

http://dexblog45.xyz/statweb255/

http://admlogs.online/statweb255/

http://blogstat355.xyz/statweb255/

http://blogstatserv25.xyz/statweb255/

rc4.i32

Extracted

Path

C:\info.hta

Ransom Note

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>cartilage</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #C6B5C4; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #B5CC8E; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #e6ecf2; border-left: 10px solid #B58CB2; } .alert { background: #FFE4E4; border-left: 10px solid #FFA07A; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC.</div> <div class='bold'>If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Or write us to the Tox: <span class='mark'>78E21CFF7AA85F713C1530AEF2E74E62830BEE77238F4B0A73E5E3251EAD56427BF9F7A1A074</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>18CA63B3-3483</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>

Emails

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Extracted

Path

C:\info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Or write us to the Tox: 78E21CFF7AA85F713C1530AEF2E74E62830BEE77238F4B0A73E5E3251EAD56427BF9F7A1A074 Write this ID in the title of your message 18CA63B3-3483 You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

948 bcdedit.exe
4860 bcdedit.exe
5564 bcdedit.exe
5632 bcdedit.exe
Renames multiple (472) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

pid	process
948	bcdedit.exe
4860	bcdedit.exe
5564	bcdedit.exe
5632	bcdedit.exe

Blocklisted process makes network request 64 IoCs

Processes:

powershell.exe

flow	pid	process
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe
32	228	powershell.exe

Deletes backup catalog 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

296 wbadmin.exe
5680 wbadmin.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

4772 netsh.exe
3208 netsh.exe

pid	process
296	wbadmin.exe
5680	wbadmin.exe

pid	process
4772	netsh.exe
3208	netsh.exe

Drops startup file 3 IoCs

Processes:

CCBD.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CCBD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[18CA63B3-3483].[[email protected]].8base	CCBD.exe
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\CCBD.exe	CCBD.exe

Executes dropped EXE 6 IoCs

Processes:

C78B.exeCA4B.exeCCBD.exeCCBD.exeusbitrgusbitrg

pid process

2976 C78B.exe
1100 CA4B.exe
3184 CCBD.exe
1180 CCBD.exe
4420 usbitrg
1940 usbitrg
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2976	C78B.exe
1100	CA4B.exe
3184	CCBD.exe
1180	CCBD.exe
4420	usbitrg
1940	usbitrg

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

C78B.exeCCBD.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rhyivhytef = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rhyivhytef.exe\""	C78B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CCBD = "C:\\Users\\Admin\\AppData\\Local\\CCBD.exe"	CCBD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CCBD = "C:\\Users\\Admin\\AppData\\Local\\CCBD.exe"	CCBD.exe

Drops desktop.ini file(s) 39 IoCs

Processes:

CCBD.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CCBD.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CCBD.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CCBD.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CCBD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CCBD.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CCBD.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CCBD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CCBD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CCBD.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CCBD.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CCBD.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CCBD.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	CCBD.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CCBD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CCBD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CCBD.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\desktop.ini	CCBD.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CCBD.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CCBD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CCBD.exe
File opened for modification	C:\Program Files\desktop.ini	CCBD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CCBD.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CCBD.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CCBD.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CCBD.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CCBD.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CCBD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CCBD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CCBD.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CCBD.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CCBD.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	CCBD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CCBD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CCBD.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CCBD.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CCBD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CCBD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CCBD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CCBD.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs

Processes:

powershell.exe

pid	process
228	powershell.exe
228	powershell.exe
228	powershell.exe
228	powershell.exe
228	powershell.exe
228	powershell.exe
228	powershell.exe
228	powershell.exe
228	powershell.exe
228	powershell.exe
228	powershell.exe
228	powershell.exe
228	powershell.exe
228	powershell.exe
228	powershell.exe
228	powershell.exe
228	powershell.exe
228	powershell.exe
228	powershell.exe
228	powershell.exe
228	powershell.exe
228	powershell.exe
228	powershell.exe
228	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

9769c181ecef69544bbb2f974b8c0e10.exepowershell.exeusbitrg

description	pid	process	target process
PID 2700 set thread context of 3816	2700	9769c181ecef69544bbb2f974b8c0e10.exe	9769c181ecef69544bbb2f974b8c0e10.exe
PID 228 set thread context of 288	228	powershell.exe	aspnet_compiler.exe
PID 4420 set thread context of 1940	4420	usbitrg	usbitrg

Drops file in Program Files directory 64 IoCs

Processes:

CCBD.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libequalizer_plugin.dll	CCBD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Styles.xbf	CCBD.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT.id[18CA63B3-3483].[[email protected]].8base	CCBD.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe.id[18CA63B3-3483].[[email protected]].8base	CCBD.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.ArchiverProviders.resources.dll	CCBD.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\ui-strings.js.id[18CA63B3-3483].[[email protected]].8base	CCBD.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\css\main-selector.css.id[18CA63B3-3483].[[email protected]].8base	CCBD.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui	CCBD.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui	CCBD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxManifest.xml	CCBD.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Measure.aapp	CCBD.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	CCBD.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\sunec.jar	CCBD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODBC.DLL	CCBD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_contrast-white.png	CCBD.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR\msipc.dll.mui.id[18CA63B3-3483].[[email protected]].8base	CCBD.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_xd.svg	CCBD.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailLargeTile.scale-400.png	CCBD.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-oob.xrm-ms.id[18CA63B3-3483].[[email protected]].8base	CCBD.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected][18CA63B3-3483].[[email protected]].8base	CCBD.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_removeme-default_18.svg	CCBD.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SplashScreen.scale-100.png	CCBD.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_zh_CN.jar.id[18CA63B3-3483].[[email protected]].8base	CCBD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe	CCBD.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libd3d11va_plugin.dll.id[18CA63B3-3483].[[email protected]].8base	CCBD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\bootstrap.html	CCBD.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeSmallTile.scale-100.png	CCBD.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml.id[18CA63B3-3483].[[email protected]].8base	CCBD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ppd.xrm-ms	CCBD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-oob.xrm-ms	CCBD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationSensorCalibrationFigure.png	CCBD.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar	CCBD.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml	CCBD.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\PREVIEW.GIF.id[18CA63B3-3483].[[email protected]].8base	CCBD.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.util_8.1.14.v20131031.jar	CCBD.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-gb\ui-strings.js.id[18CA63B3-3483].[[email protected]].8base	CCBD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.Model.CX.dll	CCBD.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\com-sun-tools-visualvm-modules-startup.jar.id[18CA63B3-3483].[[email protected]].8base	CCBD.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7wre_es.dub.id[18CA63B3-3483].[[email protected]].8base	CCBD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msjet.xsl	CCBD.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	CCBD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-256.png	CCBD.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	CCBD.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ul-oob.xrm-ms.id[18CA63B3-3483].[[email protected]].8base	CCBD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ppd.xrm-ms	CCBD.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_hover_18.svg	CCBD.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\bs.pak.id[18CA63B3-3483].[[email protected]].8base	CCBD.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldNotContain.snippets.ps1xml	CCBD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\msipc.dll.mui	CCBD.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\msitss55.dll.id[18CA63B3-3483].[[email protected]].8base	CCBD.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudt.dll.id[18CA63B3-3483].[[email protected]].8base	CCBD.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODEXL.DLL.id[18CA63B3-3483].[[email protected]].8base	CCBD.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libupnp_plugin.dll.id[18CA63B3-3483].[[email protected]].8base	CCBD.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\libsmartscreen.dll.id[18CA63B3-3483].[[email protected]].8base	CCBD.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml.id[18CA63B3-3483].[[email protected]].8base	CCBD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.DLL	CCBD.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\vlc.mo	CCBD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.NetFX35.dll	CCBD.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-180.png.id[18CA63B3-3483].[[email protected]].8base	CCBD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-96_altform-unplated_contrast-black.png	CCBD.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ppd.xrm-ms.id[18CA63B3-3483].[[email protected]].8base	CCBD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.exe	CCBD.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\css\main.css	CCBD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-phn.xrm-ms	CCBD.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5112 1180 WerFault.exe CCBD.exe

pid	pid_target	process	target process
5112	1180	WerFault.exe	CCBD.exe

Checks SCSI registry key(s) 3 TTPs 10 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

9769c181ecef69544bbb2f974b8c0e10.exevds.exeusbitrg

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9769c181ecef69544bbb2f974b8c0e10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	usbitrg
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	usbitrg
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	usbitrg
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9769c181ecef69544bbb2f974b8c0e10.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9769c181ecef69544bbb2f974b8c0e10.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2748 vssadmin.exe
5708 vssadmin.exe

pid	process
2748	vssadmin.exe
5708	vssadmin.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9769c181ecef69544bbb2f974b8c0e10.exe

pid	process
3816	9769c181ecef69544bbb2f974b8c0e10.exe
3816	9769c181ecef69544bbb2f974b8c0e10.exe
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3200

pid	process
3200

Suspicious behavior: MapViewOfSection 32 IoCs

Processes:

9769c181ecef69544bbb2f974b8c0e10.exeusbitrg

pid	process
3816	9769c181ecef69544bbb2f974b8c0e10.exe
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
3200
1940	usbitrg

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeCCBD.exevssvc.exeWMIC.exewbengine.exeC78B.exeaspnet_compiler.exe

description	pid	process
Token: SeDebugPrivilege	228	powershell.exe
Token: SeShutdownPrivilege	3200
Token: SeCreatePagefilePrivilege	3200
Token: SeDebugPrivilege	3184	CCBD.exe
Token: SeBackupPrivilege	4600	vssvc.exe
Token: SeRestorePrivilege	4600	vssvc.exe
Token: SeAuditPrivilege	4600	vssvc.exe
Token: SeIncreaseQuotaPrivilege	848	WMIC.exe
Token: SeSecurityPrivilege	848	WMIC.exe
Token: SeTakeOwnershipPrivilege	848	WMIC.exe
Token: SeLoadDriverPrivilege	848	WMIC.exe
Token: SeSystemProfilePrivilege	848	WMIC.exe
Token: SeSystemtimePrivilege	848	WMIC.exe
Token: SeProfSingleProcessPrivilege	848	WMIC.exe
Token: SeIncBasePriorityPrivilege	848	WMIC.exe
Token: SeCreatePagefilePrivilege	848	WMIC.exe
Token: SeBackupPrivilege	848	WMIC.exe
Token: SeRestorePrivilege	848	WMIC.exe
Token: SeShutdownPrivilege	848	WMIC.exe
Token: SeDebugPrivilege	848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	848	WMIC.exe
Token: SeRemoteShutdownPrivilege	848	WMIC.exe
Token: SeUndockPrivilege	848	WMIC.exe
Token: SeManageVolumePrivilege	848	WMIC.exe
Token: 33	848	WMIC.exe
Token: 34	848	WMIC.exe
Token: 35	848	WMIC.exe
Token: 36	848	WMIC.exe
Token: SeIncreaseQuotaPrivilege	848	WMIC.exe
Token: SeSecurityPrivilege	848	WMIC.exe
Token: SeTakeOwnershipPrivilege	848	WMIC.exe
Token: SeLoadDriverPrivilege	848	WMIC.exe
Token: SeSystemProfilePrivilege	848	WMIC.exe
Token: SeSystemtimePrivilege	848	WMIC.exe
Token: SeProfSingleProcessPrivilege	848	WMIC.exe
Token: SeIncBasePriorityPrivilege	848	WMIC.exe
Token: SeCreatePagefilePrivilege	848	WMIC.exe
Token: SeBackupPrivilege	848	WMIC.exe
Token: SeRestorePrivilege	848	WMIC.exe
Token: SeShutdownPrivilege	848	WMIC.exe
Token: SeDebugPrivilege	848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	848	WMIC.exe
Token: SeRemoteShutdownPrivilege	848	WMIC.exe
Token: SeUndockPrivilege	848	WMIC.exe
Token: SeManageVolumePrivilege	848	WMIC.exe
Token: 33	848	WMIC.exe
Token: 34	848	WMIC.exe
Token: 35	848	WMIC.exe
Token: 36	848	WMIC.exe
Token: SeShutdownPrivilege	3200
Token: SeCreatePagefilePrivilege	3200
Token: SeBackupPrivilege	3828	wbengine.exe
Token: SeRestorePrivilege	3828	wbengine.exe
Token: SeSecurityPrivilege	3828	wbengine.exe
Token: SeShutdownPrivilege	3200
Token: SeCreatePagefilePrivilege	3200
Token: SeDebugPrivilege	2976	C78B.exe
Token: SeShutdownPrivilege	228	powershell.exe
Token: SeCreatePagefilePrivilege	228	powershell.exe
Token: SeDebugPrivilege	288	aspnet_compiler.exe
Token: SeShutdownPrivilege	3200
Token: SeCreatePagefilePrivilege	3200
Token: SeShutdownPrivilege	3200
Token: SeCreatePagefilePrivilege	3200

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9769c181ecef69544bbb2f974b8c0e10.exeCA4B.exeCCBD.execmd.execmd.exe

description	pid	process	target process
PID 2700 wrote to memory of 3816	2700	9769c181ecef69544bbb2f974b8c0e10.exe	9769c181ecef69544bbb2f974b8c0e10.exe
PID 2700 wrote to memory of 3816	2700	9769c181ecef69544bbb2f974b8c0e10.exe	9769c181ecef69544bbb2f974b8c0e10.exe
PID 2700 wrote to memory of 3816	2700	9769c181ecef69544bbb2f974b8c0e10.exe	9769c181ecef69544bbb2f974b8c0e10.exe
PID 2700 wrote to memory of 3816	2700	9769c181ecef69544bbb2f974b8c0e10.exe	9769c181ecef69544bbb2f974b8c0e10.exe
PID 2700 wrote to memory of 3816	2700	9769c181ecef69544bbb2f974b8c0e10.exe	9769c181ecef69544bbb2f974b8c0e10.exe
PID 2700 wrote to memory of 3816	2700	9769c181ecef69544bbb2f974b8c0e10.exe	9769c181ecef69544bbb2f974b8c0e10.exe
PID 3200 wrote to memory of 2976	3200		C78B.exe
PID 3200 wrote to memory of 2976	3200		C78B.exe
PID 3200 wrote to memory of 1100	3200		CA4B.exe
PID 3200 wrote to memory of 1100	3200		CA4B.exe
PID 3200 wrote to memory of 1100	3200		CA4B.exe
PID 3200 wrote to memory of 3184	3200		CCBD.exe
PID 3200 wrote to memory of 3184	3200		CCBD.exe
PID 3200 wrote to memory of 3184	3200		CCBD.exe
PID 3200 wrote to memory of 1060	3200		explorer.exe
PID 3200 wrote to memory of 1060	3200		explorer.exe
PID 3200 wrote to memory of 1060	3200		explorer.exe
PID 3200 wrote to memory of 1060	3200		explorer.exe
PID 1100 wrote to memory of 228	1100	CA4B.exe	powershell.exe
PID 1100 wrote to memory of 228	1100	CA4B.exe	powershell.exe
PID 1100 wrote to memory of 228	1100	CA4B.exe	powershell.exe
PID 3200 wrote to memory of 4504	3200		explorer.exe
PID 3200 wrote to memory of 4504	3200		explorer.exe
PID 3200 wrote to memory of 4504	3200		explorer.exe
PID 3200 wrote to memory of 5088	3200		explorer.exe
PID 3200 wrote to memory of 5088	3200		explorer.exe
PID 3200 wrote to memory of 5088	3200		explorer.exe
PID 3200 wrote to memory of 5088	3200		explorer.exe
PID 3200 wrote to memory of 1324	3200		explorer.exe
PID 3200 wrote to memory of 1324	3200		explorer.exe
PID 3200 wrote to memory of 1324	3200		explorer.exe
PID 3200 wrote to memory of 1324	3200		explorer.exe
PID 3200 wrote to memory of 404	3200		explorer.exe
PID 3200 wrote to memory of 404	3200		explorer.exe
PID 3200 wrote to memory of 404	3200		explorer.exe
PID 3200 wrote to memory of 404	3200		explorer.exe
PID 3200 wrote to memory of 4276	3200		explorer.exe
PID 3200 wrote to memory of 4276	3200		explorer.exe
PID 3200 wrote to memory of 4276	3200		explorer.exe
PID 3184 wrote to memory of 372	3184	CCBD.exe	cmd.exe
PID 3184 wrote to memory of 372	3184	CCBD.exe	cmd.exe
PID 3184 wrote to memory of 2292	3184	CCBD.exe	cmd.exe
PID 3184 wrote to memory of 2292	3184	CCBD.exe	cmd.exe
PID 3200 wrote to memory of 3532	3200		explorer.exe
PID 3200 wrote to memory of 3532	3200		explorer.exe
PID 3200 wrote to memory of 3532	3200		explorer.exe
PID 3200 wrote to memory of 3532	3200		explorer.exe
PID 3200 wrote to memory of 1468	3200		explorer.exe
PID 3200 wrote to memory of 1468	3200		explorer.exe
PID 3200 wrote to memory of 1468	3200		explorer.exe
PID 2292 wrote to memory of 3208	2292	cmd.exe	netsh.exe
PID 2292 wrote to memory of 3208	2292	cmd.exe	netsh.exe
PID 3200 wrote to memory of 3708	3200		explorer.exe
PID 3200 wrote to memory of 3708	3200		explorer.exe
PID 3200 wrote to memory of 3708	3200		explorer.exe
PID 3200 wrote to memory of 3708	3200		explorer.exe
PID 372 wrote to memory of 2748	372	cmd.exe	vssadmin.exe
PID 372 wrote to memory of 2748	372	cmd.exe	vssadmin.exe
PID 3200 wrote to memory of 3692	3200		explorer.exe
PID 3200 wrote to memory of 3692	3200		explorer.exe
PID 3200 wrote to memory of 3692	3200		explorer.exe
PID 3200 wrote to memory of 2396	3200		explorer.exe
PID 3200 wrote to memory of 2396	3200		explorer.exe
PID 3200 wrote to memory of 2396	3200		explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe
"C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe
  "C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3816

C:\Users\Admin\AppData\Local\Temp\C78B.exe
C:\Users\Admin\AppData\Local\Temp\C78B.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Users\Admin\AppData\Local\Temp\CA4B.exe
C:\Users\Admin\AppData\Local\Temp\CA4B.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:228
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
    3⤵
    PID:4196
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:288

C:\Users\Admin\AppData\Local\Temp\CCBD.exe
C:\Users\Admin\AppData\Local\Temp\CCBD.exe
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Users\Admin\AppData\Local\Temp\CCBD.exe
  "C:\Users\Admin\AppData\Local\Temp\CCBD.exe"
  2⤵
  - Executes dropped EXE
  PID:1180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 460
    3⤵
    - Program crash
    PID:5112
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:3208
- - C:\Windows\system32\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    PID:4772
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:372
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2748
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:848
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:948
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4860
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:296
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:5552
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:3804
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:5560
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:5416
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:5708
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    PID:5884
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:5564
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:5632
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:5680

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1060

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1180 -ip 1180
1⤵
PID:3900

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5088

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1324

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:404

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4276

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3532

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1468

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3708

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3692

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2396

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2992

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2836

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4492

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1004

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3828

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2832

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:1224

C:\Users\Admin\AppData\Roaming\usbitrg
C:\Users\Admin\AppData\Roaming\usbitrg
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4420
- C:\Users\Admin\AppData\Roaming\usbitrg
  C:\Users\Admin\AppData\Roaming\usbitrg
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:1940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
1⤵
PID:5396

C:\Users\Admin\AppData\Roaming\Name\Target.exe
C:\Users\Admin\AppData\Roaming\Name\Target.exe
1⤵
PID:3856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id[18CA63B3-3483].[[email protected]].8base

Filesize
2.7MB

MD5
05bcd9ce54febd90a534470f61051ba6

SHA1
9740865edcebb597c7f51d296c2b7081b49e02ac

SHA256
f7033f579179c51a3673855e2fcf558b2a66df6b2458ac34898a16749a2bd3c7

SHA512
77f336bf8cdbcdda524bd949d848aafe2d1b8864ce08adcf8c71913c2737d081a910c19c7ee9d7a88d871522be0bd1b0375738f47f0d68b1fbea51e65aa5862f

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\CCBD.exe

Filesize
281KB

MD5
2809e15a3a54484e042fe65fffd17409

SHA1
4a8f0331abaf8f629b3c8220f0d55339cfa30223

SHA256
518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c

SHA512
698e16fd67861377e2ccaace4d0e1a619a8b7c68e8aefc4090e9d1cbbcdfb8d8aede76f9e63f81479f5a035e8008699a4d7175da6248e6e49eb7c81b3dba30c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CA4B.exe.log

Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aspnet_compiler.exe.log

Filesize
2KB

MD5
9b756bc85e5324eb8f87a69e3f9959ab

SHA1
1778b2e2d6a00c421578a284db1e743931611d66

SHA256
e347a39e49ca8c835cc47d3f039230969e7c4156089f2e83e8a0aed1df88016e

SHA512
c897af3307e3c3163762021f49934ac5fbeab27f123e814bc390bdf1f0ed46671afeadcc87a8a4b18ddf13f4abd0d8ef00343af91ff999d7d447c96505d866d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
556491219a6ad3dc6d671b8e18d8e2f6

SHA1
906e7a723d6ec5501951f906191ed956f81975d7

SHA256
8400c727b4a9cc431a250db16f3f5da4c50d3b6068b8c61cdf57d3eb9b2b520d

SHA512
9f83608b919de80b9945e687f418d46ca5407bd4cdd0fc3737367251647f683be3759a09e0857d86229758cbd89a3ca3f8b61afa5b18afe07eee3c7a2235a96b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000024.db.id[18CA63B3-3483].[[email protected]].8base

Filesize
91KB

MD5
82d6f68b91773f822dd1bf8752809e1a

SHA1
469668fb73114b06da4b71b556a3d7af5465f1c0

SHA256
80543cef535f87f44c6cf670b2ea4b78f3650df9262f7335289b6b1bceef48df

SHA512
d1a8081ec68cff8026dd03e108460f0085a77aefbea6db92b70138234fcc78ba700d7814f7c48d9cc1dcd19aaba6bd6fa23bd13ddc78ccf3714657bc42430213

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
3337d66209faa998d52d781d0ff2d804

SHA1
6594b85a70f998f79f43cdf1ca56137997534156

SHA256
9b946b062865f68b9f0f43a011d33d7ea0926a3c8f78fb20d9cab6144314e1bd

SHA512
8bbd14bd73111f7b55712f5d1e1b727e41db8e6e0c1243ee6809ff32b509e52dec7af34c064151fb5beccd59dda434a3f83abe987c561a25abfbb4cbcf9c7f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
21KB

MD5
07d837817d29421acf3bd015fab500e7

SHA1
f255d1e9a114fbf42f8fd045fe6df45a46f4c21f

SHA256
c70dd5137dfd5940a1e0b5145e5008492a2baadddc580c065b5c35d98571f6df

SHA512
36e3ab2805a5610f60de26e371140220eed597b52c9e52e8f59dfd9b86c3da7f25f07df596e794e520205df9fa6c8e25cb5db0b68ff390e23c36ce0a6411c246

Download Submit
C:\Users\Admin\AppData\Local\Temp\C78B.exe

Filesize
2.6MB

MD5
e7ac55d61ab9cfcf180c92c1381a2fa1

SHA1
f79fe555c492a9effe26ead87ec7eb3c53899083

SHA256
afddec37cdc1d196a1136e2252e925c0dcfe587963069d78775e0f174ae9cfe3

SHA512
e3fa85d3af3625384ecea090a7c205325825a1b91ad43e1f86f56a719ad733d71b4be9c34edd03d8ff774e28b3feb605dc073f66f4a01359f8e4bad5b8bcfae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\C78B.exe

Filesize
2.6MB

MD5
e7ac55d61ab9cfcf180c92c1381a2fa1

SHA1
f79fe555c492a9effe26ead87ec7eb3c53899083

SHA256
afddec37cdc1d196a1136e2252e925c0dcfe587963069d78775e0f174ae9cfe3

SHA512
e3fa85d3af3625384ecea090a7c205325825a1b91ad43e1f86f56a719ad733d71b4be9c34edd03d8ff774e28b3feb605dc073f66f4a01359f8e4bad5b8bcfae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA4B.exe

Filesize
228KB

MD5
d1f12c03b8ce33b36d8423b057c7d6c5

SHA1
d6d0631a1f95e3972a803ed1c57b120815b2b5cf

SHA256
c6bd5b8e14551eb899bbe4decb6942581d28b2a42b159146bbc28316e6e14a64

SHA512
43b51f630d631d4f5cac97242595b25d07306280e183c22821f351af1fc2fc118b836df8bd8e06984f5e0cb21b25954dbd335666bd2cd2c5b98b22948bedbf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA4B.exe

Filesize
228KB

MD5
d1f12c03b8ce33b36d8423b057c7d6c5

SHA1
d6d0631a1f95e3972a803ed1c57b120815b2b5cf

SHA256
c6bd5b8e14551eb899bbe4decb6942581d28b2a42b159146bbc28316e6e14a64

SHA512
43b51f630d631d4f5cac97242595b25d07306280e183c22821f351af1fc2fc118b836df8bd8e06984f5e0cb21b25954dbd335666bd2cd2c5b98b22948bedbf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCBD.exe

Filesize
281KB

MD5
2809e15a3a54484e042fe65fffd17409

SHA1
4a8f0331abaf8f629b3c8220f0d55339cfa30223

SHA256
518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c

SHA512
698e16fd67861377e2ccaace4d0e1a619a8b7c68e8aefc4090e9d1cbbcdfb8d8aede76f9e63f81479f5a035e8008699a4d7175da6248e6e49eb7c81b3dba30c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCBD.exe

Filesize
281KB

MD5
2809e15a3a54484e042fe65fffd17409

SHA1
4a8f0331abaf8f629b3c8220f0d55339cfa30223

SHA256
518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c

SHA512
698e16fd67861377e2ccaace4d0e1a619a8b7c68e8aefc4090e9d1cbbcdfb8d8aede76f9e63f81479f5a035e8008699a4d7175da6248e6e49eb7c81b3dba30c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCBD.exe

Filesize
281KB

MD5
2809e15a3a54484e042fe65fffd17409

SHA1
4a8f0331abaf8f629b3c8220f0d55339cfa30223

SHA256
518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c

SHA512
698e16fd67861377e2ccaace4d0e1a619a8b7c68e8aefc4090e9d1cbbcdfb8d8aede76f9e63f81479f5a035e8008699a4d7175da6248e6e49eb7c81b3dba30c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll

Filesize
5.5MB

MD5
b09d3cc034d47d9e871b389f61f4a770

SHA1
752a0e72498667fb9bcea8c50e553eec26ada599

SHA256
cee6da30438bc7547140aad7f84f00fcec8b959afbdeb0d5551eea74863a100b

SHA512
c6acc7bc22e7bce90d6a489f930b31e561664bd1cb6279a4e4640e9fe9bbe965481d7b7453e69664b9b61b44e4755b5cfa36df3d5d971377ec1ade12cc7991c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll.id[18CA63B3-3483].[[email protected]].8base

Filesize
5.5MB

MD5
b09d3cc034d47d9e871b389f61f4a770

SHA1
752a0e72498667fb9bcea8c50e553eec26ada599

SHA256
cee6da30438bc7547140aad7f84f00fcec8b959afbdeb0d5551eea74863a100b

SHA512
c6acc7bc22e7bce90d6a489f930b31e561664bd1cb6279a4e4640e9fe9bbe965481d7b7453e69664b9b61b44e4755b5cfa36df3d5d971377ec1ade12cc7991c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe

Filesize
18KB

MD5
cfe72ed40a076ae4f4157940ce0c5d44

SHA1
8010f7c746a7ba4864785f798f46ec05caae7ece

SHA256
6868894ab04d08956388a94a81016f03d5b7a7b1646c8a6235057a7e1e45de32

SHA512
f002afa2131d250dd6148d8372ce45f84283b8e1209e91720cee7aff497503d0e566bae3a83cd326701458230ae5c0e200eec617889393dd46ac00ff357ff1b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe.id[18CA63B3-3483].[[email protected]].8base

Filesize
18KB

MD5
eed39da9e5b01b5f198190fc3775fd18

SHA1
7ea3977b931e84bc0da264154ae058b2a4ef0e23

SHA256
b467bae7961ef4f24d825136aa31449d4d349fc470dab83385d83c6bf0fa5304

SHA512
17162a257765e8a7136f7012307bd312eb5f4f8555c626857f555e3b8f28aef27fcddfc0dff0d3126a95787751ee52bcdddbb014df0a749aca0ea78c7469c85d

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml

Filesize
1KB

MD5
94f90fcd2b8f7f1df69224f845d9e9b7

SHA1
a09e3072cc581cf89adaf1aa20aa89b3af7bf987

SHA256
a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0

SHA512
51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml.id[18CA63B3-3483].[[email protected]].8base

Filesize
1KB

MD5
27d04ab21b5a61609d51cffa378b0c0a

SHA1
7eb94404f90e49d44acdb416af5aa9fd5a50d1c3

SHA256
c04f462d22700bc7fd70fa3b6edd43b9362b110c900d63c8377639b947675113

SHA512
3d1e25ef4c0755a60f239ee49156da1932eb820ba2d97ee8529f90f9620a7e1de00e1475e726ac797eb0b1c64b80b06955edb85a35cfc196c4a469a2b0f8c8f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml

Filesize
7KB

MD5
108f130067a9df1719c590316a5245f7

SHA1
79bb9a86e7a50c85214cd7e21719f0cb4155f58a

SHA256
c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874

SHA512
d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml.id[18CA63B3-3483].[[email protected]].8base

Filesize
7KB

MD5
66f8876b1cc10e3bf17a2e97b614a716

SHA1
e8ccbc0a625a6b7fd2b4e9f15122a74f7b5aefe6

SHA256
79f73c2f69c0421651a8e34609ab5aa961782d0bd628ab4e2cb7d7d797f1fa65

SHA512
95dfa474f5d72b2fa502d05590f3613d7d4b728107268ba0b450aa0979f076b2769a40e41152d967c671b7077433fb4d8abbc90509d49e7419017e08341a8382

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml

Filesize
1KB

MD5
94f90fcd2b8f7f1df69224f845d9e9b7

SHA1
a09e3072cc581cf89adaf1aa20aa89b3af7bf987

SHA256
a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0

SHA512
51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml.id[18CA63B3-3483].[[email protected]].8base

Filesize
1KB

MD5
b8e7366ec9ebdabff87b5f9c4d9ac1c0

SHA1
5b909af102e06b197504edc82f274029165dba6c

SHA256
a08c0d3afa68fabf6ca9ede20da0f7d2f8c406f11f195f78ef279782136c6d51

SHA512
7aeee6eae6a5a456c3aca5ea73d54cf87464f7e5e580f6afe069076a30a4db4645928c4c14e6d5d4f97838a59fb7ea0b36dd4488a4bfb30e42f5951dde8a5c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml

Filesize
7KB

MD5
108f130067a9df1719c590316a5245f7

SHA1
79bb9a86e7a50c85214cd7e21719f0cb4155f58a

SHA256
c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874

SHA512
d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dll

Filesize
10KB

MD5
1097d1e58872f3cf58f78730a697ce4b

SHA1
96db4e4763a957b28dd80ec1e43eb27367869b86

SHA256
83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef

SHA512
b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\SysWOW64\WalletProxy.dll

Filesize
36KB

MD5
d09724c29a8f321f2f9c552de6ef6afa

SHA1
d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3

SHA256
23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c

SHA512
cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dll

Filesize
402KB

MD5
02557c141c9e153c2b7987b79a3a2dd7

SHA1
a054761382ee68608b6a3b62b68138dc205f576b

SHA256
207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4

SHA512
a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\System32\WalletBackgroundServiceProxy.dll

Filesize
10KB

MD5
1097d1e58872f3cf58f78730a697ce4b

SHA1
96db4e4763a957b28dd80ec1e43eb27367869b86

SHA256
83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef

SHA512
b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\System32\WalletProxy.dll

Filesize
36KB

MD5
d09724c29a8f321f2f9c552de6ef6afa

SHA1
d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3

SHA256
23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c

SHA512
cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\System32\Windows.ApplicationModel.Wallet.dll

Filesize
402KB

MD5
02557c141c9e153c2b7987b79a3a2dd7

SHA1
a054761382ee68608b6a3b62b68138dc205f576b

SHA256
207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4

SHA512
a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\Manifests\amd64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.19041.1_none_5f44912b33b38332.manifest

Filesize
1KB

MD5
d69a1676090849faa06b2bf4cbe631df

SHA1
5206fb038c2f8d69ea8f6c09ae64de3413d3cc33

SHA256
27584ac3596b10d23744c95eada3002419cb1551c7f959a24143b71fd11d285b

SHA512
9eee0eccaaf3203b8f106d4eaf3bf0914bbec7d6cb76442fc1bd59f1b3552ea2a104bc0bc8280c2de4c81472f5806ae5c1f1158fd093c61179e103170d6eebfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\Manifests\amd64_microsoft-windows-wallet-service_31bf3856ad364e35_10.0.19041.1_none_3a1c5ba65e57fed6.manifest

Filesize
122B

MD5
2e6626c5df8835605c4156eb96ac873d

SHA1
564e2077d8974c54b46bf9609723c67aebf6c746

SHA256
78e9f0edbaeecfdf86c70ac9562452b9e8f283b87d194fee546f3c15b6203920

SHA512
62df8c0b9f2c919017443f7a0400e3902270f98dcbd2b05fcc1041cc41cc28f902f580d396158dacf002e60b9b3dc988af726b4473c71dcf728ec624f3df981e

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\Manifests\amd64_microsoft-windows-wallet-service_31bf3856ad364e35_10.0.19041.985_none_61f85cc11deb0ddb.manifest

Filesize
129B

MD5
d0145a9e87b8696bd48f16c377fc213e

SHA1
5ca91e81c562eb5854f8df196b023dfb4e26180a

SHA256
abbcdcb9498a061c67e5d20c91f5a2d19f5e58b0a06fb0419c1fb95dc78bbf3f

SHA512
6d18b32304ae40d1cdcfae49145eefb733cb5b749d12b7c8a78eb4d10aa1cfb67598e7fcb88dc291b3d33bfe5ad0f41b613f6197bf5792a06b3ca3af76bf95df

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\Manifests\amd64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.264_none_a93c33a11646a55e.manifest

Filesize
2KB

MD5
84aea0ae39cd5c941489ef2fe5a5fad2

SHA1
311ed3767743ff6f3c87afe280b64620927007b7

SHA256
0f4d92146edf2a8f1b77f6f5fef2263a3b15065ee3a3ecd243b87a4e211c2fbf

SHA512
29c43e2e5b50915a824961955110273b6a1f00b935af8e3fac4d7f88dd687b509f826c20bca8fb66b7f888bd55fa406652e1e6242d0cd7a7ffa53f7dfef0d318

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\Manifests\amd64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_a953dd8b163491ed.manifest

Filesize
2KB

MD5
64822b32c2b3b02ff3b50fdc5c8cf03a

SHA1
05d4c2fa8aef378580dcdea50f9f3810f111607b

SHA256
e04c4314e857cf1d0569775f3c6d70f8c93bd4cc5615d9658f37a63166d5bf2b

SHA512
ceb2c237e8fbd572e3b05fe7d2f954276b9daeb5fa9d89b31280f7cd76b2bea857b173b79fd71f0f7ec22b646b2e0752710ec6d397411f10b1982ebb261b0063

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\Manifests\wow64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.19041.1_none_69993b7d6814452d.manifest

Filesize
1KB

MD5
538657d60b01761cbe1816fc19a02162

SHA1
544e630ea3c609c01ec34efefde464a2515f35de

SHA256
1908669eb15334e414077c524c939fede44eae44e131392d12e13faa7e7c856a

SHA512
eba0e354f807a52c6966fbb0ea9dd5262ae2fa2db6cdd680e75678946147c5b2c384515671a27403a74be7d80b8cd8dc0d3664ce8d2a9db7af74fc83fd19d06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\Manifests\wow64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.264_none_b390ddf34aa76759.manifest

Filesize
2KB

MD5
4defb136802da6a6623418fa2e1faad3

SHA1
f1bb8072be227018a4eb16fbac6122919a72dd53

SHA256
f5e69212311eae8b43f4fa1362e50b71542627d998083171df6fdff12b9d7a5e

SHA512
576618e1ff5183aa08875d833c65455de6fbe470fa4acce6bf009b02e0ca7a12099a3e8178bcec42a88125f16329076a984c74c45ec4a94eb2d910ffc29b646b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\Manifests\wow64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_b3a887dd4a9553e8.manifest

Filesize
2KB

MD5
115f96a41622825493ab3d5c62db6395

SHA1
99c0c022badab0b0268874951fee801f52856a34

SHA256
314cd9c49e9d160a31c5b8d6788bb3b539a760d08877d8d183118769ffd106ce

SHA512
967baa20d3411792438b3eb17f0268f21727f6f6d50306b69478d37f7da9a6a0b465bed06a3e9dd26002e6a030742692bff4d4018c1ae3917eaa5745e9355a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-w..-service.deployment_31bf3856ad364e35_10.0.19041.1_none_8eded76dfc707d27\WalletService.dll

Filesize
429KB

MD5
4925079bb1e3bc51bd8745ef5aa6325e

SHA1
c6b6a57df4645f4f1efae6ed539aa618851d76df

SHA256
061fd9560a1cd66cf4b9f871c2f93af2c44720ae8134f325c1d12841489267cb

SHA512
4efa6227d46bc97e59f31f4949ebe5951958b6dac86c5208d8f9221ce9d732ffea225383a1b8ee23455455f68c3dba6ff6b3eee8bd23d4fc43f6891970220de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-w..-service.deployment_31bf3856ad364e35_10.0.19041.985_none_b6bad888bc038c2c\WalletService.dll

Filesize
432KB

MD5
d765b98325d89c076feeab1282cd08ea

SHA1
1c0e044db845f4bf5486ccf23675b5394d568bb3

SHA256
ac2f0a68a2bcaaf2decb0aaf1b50d652ed8b631b08d06b910b407fef9069412e

SHA512
5c726e7ca5282d1f51178c814c76ca268b604ccb5aad744aadfdded4883f9e28afd0d9f9a30daca2fed017028c54e54f6e04f3aabb12a2d0b37a44267fadb37d

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-w..-service.deployment_31bf3856ad364e35_10.0.19041.985_none_b6bad888bc038c2c\f\WalletService.dll

Filesize
11KB

MD5
204c37449f2f435bcd47fc3a33589ba8

SHA1
b8ce4d2b474a44b151f4252f44fc3d6c5d49e8f9

SHA256
23387b832b727f280fd036581cacabdebf1ccacc1c9c6782939487f9456627a6

SHA512
54c3cdce836703500b02aba2d715ad0c3e803a79ba49b6b436aecfc580c47081cd9a384e913c50b121c2dd2f1ece8a62bdeee6d40c33cc438154966cb075d677

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-w..-service.deployment_31bf3856ad364e35_10.0.19041.985_none_b6bad888bc038c2c\r\WalletService.dll

Filesize
9KB

MD5
516049b4656f0540b3900a19c43eb0e7

SHA1
6fd0260fe345c763e042842d204c8cddb4d9e1d9

SHA256
d53a4afc80b79999013bfd983bdb0a5ddded457397debf149002335c2fceadaf

SHA512
2dca05b264bffcc62e3b92b5e61aa037ef858f6f625e5c0e946a82f1edf7586c17244001093567ff534c4c31e41dc6446fbb23e5f1c6b6a5fe798f2dd6d939ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-w..ice.backgroundproxy_31bf3856ad364e35_10.0.19041.1_none_fa16cd4ceba3021a\WalletBackgroundServiceProxy.dll

Filesize
12KB

MD5
b7d6a6bb752e0f3b336fe9f48f2bd17f

SHA1
b2c212468d9e4988a13ebf5b8397fc864e958d4a

SHA256
6aafa6d7ee7b50f43a1a74f518132ad1f9e0ca2c7c1c83cb0508e716a7eef276

SHA512
0210af854ea1504d1d15b17979e3fb3140c3ddf037dbb828c42e4b656f93696744aa1f88c2e94e67781eaa16d923b69fb016d30e99879cca41f69fe9e3b1004d

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-w..t-service.resources_31bf3856ad364e35_10.0.19041.1_de-de_6544a4ab6302c712\WalletService.dll.mui

Filesize
5KB

MD5
79f7d3e335ebb7bd9ae87eab7ca3cf16

SHA1
665212f4c50d73fc5b4d6c70c06297ca3ac815c0

SHA256
d7dac445a427f96c20b7d76fe6726c1ed9d3b741fcb4733fdd0c6b747f9f3326

SHA512
3150d5985c9d7831d8eaf3481ed6166efc37436964660ee1a6ca165ee09ea6ba46a861e43ccd82061bd12d05a8ee65d6ff91d9c46f85dd458b04e60994b8e3cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-w..t-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_0e357aa451e0d2d7\WalletService.dll.mui

Filesize
5KB

MD5
bc5d54311d229eaceb98977248a3e44c

SHA1
0011ae8085b6409a944a9e431652d9cafbcfce48

SHA256
32737c8e34b90b7f0d57b607b07b641f7b8a80ae4797856c6cb8ccbf8c1414fe

SHA512
09bff5f078a0834e8ac11a02fc57763aac1224e06d0ecf7940af38d2bc5e41b38ff5d508bd1c8a73b46c68a3c01916d1ed2e18925e0b1d2fe6d10d422ad7b4b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-w..t-service.resources_31bf3856ad364e35_10.0.19041.1_es-es_0e00d7885207c47c\WalletService.dll.mui

Filesize
5KB

MD5
3a5c90eb743bd9418dc290728f7dfddf

SHA1
5f291ab31dcac64da412e759e1306fb7e7103677

SHA256
5ff0a16fb2af2235e3faefcfe5a453009ae4ff0b66d8ad6936634d5e05a42422

SHA512
ec86a18fd349880d31b47f90161d0f8b0c4cb9d69ef1e8a3ab451969f22b4a8e74bbe3f8c3d80e25e9ae836d4ac30dbf8071affa1f4965a74856b56db2f07635

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-w..t-service.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b0b84d8744d9dade\WalletService.dll.mui

Filesize
5KB

MD5
b001c9f59b4b4b840226a4f9698f69c0

SHA1
68599a6f3f68f9d42eeb5320da64b54cd553abdd

SHA256
fb489fe4cc55c17f4cb2b574e4745381668353bcd5eb2686e5f416a9b7bf749b

SHA512
5b7fa838f4f23fac411bcd014fae84214cc819418574962f2b467ad10b910602fa5b869e2a634676bc1f326e7c9a06a4610ad059fa4b6a6f7acb6aa86657fbc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-w..t-service.resources_31bf3856ad364e35_10.0.19041.1_it-it_9ae043ce1c0bc05c\WalletService.dll.mui

Filesize
5KB

MD5
94ee84ab7efe1b9544007cd42fa633b5

SHA1
d80dc1f8487aed937bbf505b802aca414d388ec4

SHA256
19b14ca65a4397a0adafaf5cca41b064462533c1f14fb58a65e3e16259da6901

SHA512
a35e791de69c1f2360c01b8c4f0bbe5f2de8e4cf8acd8059b85622d2878b6451ad467df3ee98e448a265ee149655935dd7a027c17ebc69d4c5f5c771c616a503

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-w..t-service.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_3d05c2db0f26d237\WalletService.dll.mui

Filesize
4KB

MD5
5b4332eb69df3bad9e8e2676b126f269

SHA1
fad408463dcd32caaef1e43498e6c30096107e76

SHA256
a987bdfdacbfafd2dee4e9a7ba8f222a6fa08e9a52e082448c1415a0b398e464

SHA512
cc978e4e39de2c695432bba9d7e9fa7a418b191458ccf5a08619a0d0b1ea6e7919e50890f10de0aaf3cf5f8c885b68cc6e8c88a48f81fb42be09bd2584a29b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.19041.1_none_5f44912b33b38332\WalletProxy.dll

Filesize
102KB

MD5
0ec2f54af7a73c0281e0b7ba5a40abcb

SHA1
6d1b10fa5b1563307278b974de0a131452dd6641

SHA256
f80fcc0e391b6a9a881e1d44e7a4b521cb54134e32dde6e5b57d68da7c75a1e8

SHA512
8d43caa8023d35aafd87ebd76970fb54411d2e7709d7c89ce0831d6d1931ef22138601af94de27dec53cb326411a47da588479843ca07cf920d8177b5fa233fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.264_none_a93c33a11646a55e\Windows.ApplicationModel.Wallet.dll

Filesize
562KB

MD5
842e4b18c1dfc35f087d1843ea17402e

SHA1
9c9806f29b6727f7287d35a3d9d0e7792d499100

SHA256
d627ab167ce1f63f6c863c47078dc7e4351805864d278bb3b45fe14d4293539d

SHA512
388b6ad84975a8adf0632a0a4d1393e9ae9af55942fe54125c654b53b225fe3af0c71bc45277bccac3908f546cc8ba8f8484c0b8e1437a14208c04429a1c1264

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.264_none_a93c33a11646a55e\f\Windows.ApplicationModel.Wallet.dll

Filesize
18KB

MD5
c957509cf9437b665234d1780f90db42

SHA1
10ea8a6b0cc11da0c43623d45360f51145b9b11c

SHA256
e4f117bed194bc05b0500814cdcc170610cd867ada80f665e56292e99b197ff3

SHA512
5f3d2127fa8511a6e0bc3a1e689d65803cc37577723bd60a126de2f7883c4d35938806e1ca36f5fbaa03ad4a08c1456c023d6d7e198cf197e04f6a0938644288

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.264_none_a93c33a11646a55e\r\Windows.ApplicationModel.Wallet.dll

Filesize
17KB

MD5
287cbe251d51ba1070b2e8bbf516211a

SHA1
8aeca512465a6fd89cdf98c247799f8be72d3daa

SHA256
22a10244486642b19ce5669e62165e57db03aed322daa3d527956a3cf99b7e69

SHA512
d6d07ad1f46f112d219e8835a7da0149aae1e8f9d43a564513bbf46914ff223d49e45e8385dd2fa50d49dff7c9b08ce3cd29436a3d9700076e975af40c4d6ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_a953dd8b163491ed\Windows.ApplicationModel.Wallet.dll

Filesize
563KB

MD5
cf72d2bb801b140d14b5ef94a7193333

SHA1
a012220fe3a7aa1866ebee06eeaeff5488224d21

SHA256
95a8dc32bce0d7bf43235d7c6f593cbbcee2ea79d84b955424bc582968d737e4

SHA512
f8c5a8c4cfb8cc90710cc88f29885a174161e7123ee16ee4a3165ca0aa3074f3a7c6a93761fdf7a387a187f53fd3fed952f6e285a23485c56be7ef0631d3180d

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_a953dd8b163491ed\f\Windows.ApplicationModel.Wallet.dll

Filesize
24KB

MD5
2acb0c8eb5b30a91b246530968927efd

SHA1
f5d0e77682643af7b28d25862c65de17943b8865

SHA256
c33f8b5ef6b87f29fbfdee4b8c727ac427ca279b83e1a5f6c32b406a3e3bb7d4

SHA512
228679a1c8e8a515ba4b5dea893779d4e34105a0bc4db4f3e88f11253029d4a6e9ca0665af9c6caff831627b9b5ae7c7b91f12b57c79aef6b561df8b0b512163

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_a953dd8b163491ed\r\Windows.ApplicationModel.Wallet.dll

Filesize
24KB

MD5
c9d97269a33c6769582c81d880f78a1c

SHA1
e3c04dad51e127ada2f833a2220594d2b34c572c

SHA256
e8c29c666618ef4c7f2406883e0aa06597cc794b304073b555e1520016fac8e6

SHA512
b6de144cb010fc3a400b04c5a976a97be3d6c1d99ff24c30bdc0e00ee8f77d8c5d6dbc0449651df3a3342c79566fe1bab26a67968b90f3ead7323947145ab1ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\wow64_microsoft-windows-w..ice.backgroundproxy_31bf3856ad364e35_10.0.19041.1_none_046b779f2003c415\WalletBackgroundServiceProxy.dll

Filesize
10KB

MD5
1097d1e58872f3cf58f78730a697ce4b

SHA1
96db4e4763a957b28dd80ec1e43eb27367869b86

SHA256
83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef

SHA512
b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\wow64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.19041.1_none_69993b7d6814452d\WalletProxy.dll

Filesize
36KB

MD5
d09724c29a8f321f2f9c552de6ef6afa

SHA1
d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3

SHA256
23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c

SHA512
cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\wow64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_b3a887dd4a9553e8\Windows.ApplicationModel.Wallet.dll

Filesize
402KB

MD5
02557c141c9e153c2b7987b79a3a2dd7

SHA1
a054761382ee68608b6a3b62b68138dc205f576b

SHA256
207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4

SHA512
a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ueulrkzs.0m4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Rhyivhytef.exe

Filesize
3.4MB

MD5
ba671a266b0fb8320d3127f1f797da8c

SHA1
494d3fdac306a9bb59b099cc8a10b8e382c7fd2d

SHA256
6fd1e716c8032d59d693b1468f4452cffd56f6f2dea391444d3c3cc0092b4bec

SHA512
2b4eadf6dc8bffde13e761e6d2c47f406c8c2e9ae4e987bee0efefca64f7cadd266238fe71a62620235c426618be10e2a541641565a2cd07723b88a18c447bf9

Download Submit
C:\Users\Admin\AppData\Roaming\Rhyivhytef.exe

Filesize
2.6MB

MD5
e7ac55d61ab9cfcf180c92c1381a2fa1

SHA1
f79fe555c492a9effe26ead87ec7eb3c53899083

SHA256
afddec37cdc1d196a1136e2252e925c0dcfe587963069d78775e0f174ae9cfe3

SHA512
e3fa85d3af3625384ecea090a7c205325825a1b91ad43e1f86f56a719ad733d71b4be9c34edd03d8ff774e28b3feb605dc073f66f4a01359f8e4bad5b8bcfae2

Download Submit
C:\Users\Admin\AppData\Roaming\tertdag

Filesize
438KB

MD5
14d53b6bca02208a2c5b0080a3344175

SHA1
e079d5eab6645dcbf35d7eec5b593a16bbfb7b4e

SHA256
56dd792dd5fef77693fda971d8b33f014e28a47bce927b5714a9a1303e4cbbac

SHA512
70370ea4339a85f5dd91d889e676d254f21e3118c07a42fd78c3aa4fb7673ef42a2cd487666f5391041b57f00de44bfea59127ba964698a92155a67985633055

Download Submit
C:\Users\Admin\AppData\Roaming\usbitrg

Filesize
281KB

MD5
9769c181ecef69544bbb2f974b8c0e10

SHA1
5d0f447f4ccc89d7d79c0565372195240cdfa25f

SHA256
e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0

SHA512
b3da8fea6ee5d6b67f55a4043f18d7325f1700c9f3dcb0e7cbf21f49ebdbb56b5a10a2d03153d0dfb1e8dc34db20cdea0236c448f2c361fadbabf9a6f59b4c7a

Download Submit
C:\Users\Admin\AppData\Roaming\usbitrg

Filesize
281KB

MD5
9769c181ecef69544bbb2f974b8c0e10

SHA1
5d0f447f4ccc89d7d79c0565372195240cdfa25f

SHA256
e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0

SHA512
b3da8fea6ee5d6b67f55a4043f18d7325f1700c9f3dcb0e7cbf21f49ebdbb56b5a10a2d03153d0dfb1e8dc34db20cdea0236c448f2c361fadbabf9a6f59b4c7a

Download Submit
C:\Users\Admin\AppData\Roaming\usbitrg

Filesize
281KB

MD5
9769c181ecef69544bbb2f974b8c0e10

SHA1
5d0f447f4ccc89d7d79c0565372195240cdfa25f

SHA256
e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0

SHA512
b3da8fea6ee5d6b67f55a4043f18d7325f1700c9f3dcb0e7cbf21f49ebdbb56b5a10a2d03153d0dfb1e8dc34db20cdea0236c448f2c361fadbabf9a6f59b4c7a

Download Submit
C:\Users\Admin\Desktop\info.hta

Filesize
5KB

MD5
0d971447375d95699a5e0e08b4e06e99

SHA1
c9267226e75afc88b515b1d7eddb6e2482ba5acf

SHA256
ce9f46b5cf76d34af82e51ec9c7ad558c09e20b2fb1b26d4ece8c040b549ee84

SHA512
9bb7d539b343234bbdcabde47fab5831c6ce5b1484180d7759ae8995bc63271bea4cbdd68ca64a9a40686a9961bfb56f3a02dc0b5fe176b51befbd693d130f56

Download Submit
C:\info.hta

Filesize
5KB

MD5
0d971447375d95699a5e0e08b4e06e99

SHA1
c9267226e75afc88b515b1d7eddb6e2482ba5acf

SHA256
ce9f46b5cf76d34af82e51ec9c7ad558c09e20b2fb1b26d4ece8c040b549ee84

SHA512
9bb7d539b343234bbdcabde47fab5831c6ce5b1484180d7759ae8995bc63271bea4cbdd68ca64a9a40686a9961bfb56f3a02dc0b5fe176b51befbd693d130f56

Download Submit
C:\info.hta

Filesize
5KB

MD5
0d971447375d95699a5e0e08b4e06e99

SHA1
c9267226e75afc88b515b1d7eddb6e2482ba5acf

SHA256
ce9f46b5cf76d34af82e51ec9c7ad558c09e20b2fb1b26d4ece8c040b549ee84

SHA512
9bb7d539b343234bbdcabde47fab5831c6ce5b1484180d7759ae8995bc63271bea4cbdd68ca64a9a40686a9961bfb56f3a02dc0b5fe176b51befbd693d130f56

Download Submit
C:\users\public\desktop\info.hta

Filesize
5KB

MD5
0d971447375d95699a5e0e08b4e06e99

SHA1
c9267226e75afc88b515b1d7eddb6e2482ba5acf

SHA256
ce9f46b5cf76d34af82e51ec9c7ad558c09e20b2fb1b26d4ece8c040b549ee84

SHA512
9bb7d539b343234bbdcabde47fab5831c6ce5b1484180d7759ae8995bc63271bea4cbdd68ca64a9a40686a9961bfb56f3a02dc0b5fe176b51befbd693d130f56

Download Submit
memory/228-231-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/228-249-0x00000000056E0000-0x0000000005746000-memory.dmp

Filesize
408KB

Download
memory/228-372-0x00000000074A0000-0x0000000007B1A000-memory.dmp

Filesize
6.5MB

Download
memory/228-317-0x0000000006070000-0x00000000060B4000-memory.dmp

Filesize
272KB

Download
memory/228-342-0x0000000006DA0000-0x0000000006E16000-memory.dmp

Filesize
472KB

Download
memory/228-345-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/228-373-0x0000000006D40000-0x0000000006D5A000-memory.dmp

Filesize
104KB

Download
memory/228-279-0x0000000005BF0000-0x0000000005C0E000-memory.dmp

Filesize
120KB

Download
memory/228-243-0x0000000004CE0000-0x0000000004D46000-memory.dmp

Filesize
408KB

Download
memory/228-235-0x0000000004C40000-0x0000000004C62000-memory.dmp

Filesize
136KB

Download
memory/228-3143-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/228-228-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/228-205-0x0000000004DC0000-0x00000000053E8000-memory.dmp

Filesize
6.2MB

Download
memory/228-2044-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/228-2076-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/228-198-0x00000000022D0000-0x0000000002306000-memory.dmp

Filesize
216KB

Download
memory/404-3007-0x0000000000ED0000-0x0000000000ED7000-memory.dmp

Filesize
28KB

Download
memory/404-287-0x0000000000ED0000-0x0000000000ED7000-memory.dmp

Filesize
28KB

Download
memory/404-289-0x0000000000EC0000-0x0000000000ECB000-memory.dmp

Filesize
44KB

Download
memory/1004-2511-0x0000000000D80000-0x0000000000D8D000-memory.dmp

Filesize
52KB

Download
memory/1004-2545-0x0000000000F50000-0x0000000000F5B000-memory.dmp

Filesize
44KB

Download
memory/1060-268-0x0000000000C00000-0x0000000000C6B000-memory.dmp

Filesize
428KB

Download
memory/1060-221-0x0000000000C70000-0x0000000000CF0000-memory.dmp

Filesize
512KB

Download
memory/1060-186-0x0000000000C00000-0x0000000000C6B000-memory.dmp

Filesize
428KB

Download
memory/1060-182-0x0000000000C00000-0x0000000000C6B000-memory.dmp

Filesize
428KB

Download
memory/1100-184-0x0000000004A40000-0x0000000004A4A000-memory.dmp

Filesize
40KB

Download
memory/1100-1499-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/1100-157-0x0000000000040000-0x000000000007E000-memory.dmp

Filesize
248KB

Download
memory/1100-181-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/1100-166-0x0000000004AB0000-0x0000000004B42000-memory.dmp

Filesize
584KB

Download
memory/1100-159-0x0000000004FC0000-0x0000000005564000-memory.dmp

Filesize
5.6MB

Download
memory/1324-271-0x00000000010B0000-0x00000000010BB000-memory.dmp

Filesize
44KB

Download
memory/1468-3808-0x00000000005D0000-0x00000000005D9000-memory.dmp

Filesize
36KB

Download
memory/1468-702-0x00000000005D0000-0x00000000005D9000-memory.dmp

Filesize
36KB

Download
memory/1468-706-0x0000000000B90000-0x0000000000B9C000-memory.dmp

Filesize
48KB

Download
memory/2396-4524-0x00000000009A0000-0x00000000009A9000-memory.dmp

Filesize
36KB

Download
memory/2396-1222-0x00000000009A0000-0x00000000009A9000-memory.dmp

Filesize
36KB

Download
memory/2396-1229-0x00000000005D0000-0x00000000005F7000-memory.dmp

Filesize
156KB

Download
memory/2700-133-0x0000000002660000-0x0000000002675000-memory.dmp

Filesize
84KB

Download
memory/2700-135-0x0000000002680000-0x0000000002689000-memory.dmp

Filesize
36KB

Download
memory/2836-1774-0x00000000005A0000-0x00000000005AB000-memory.dmp

Filesize
44KB

Download
memory/2836-1755-0x00000000005D0000-0x00000000005D9000-memory.dmp

Filesize
36KB

Download
memory/2976-258-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

Filesize
1.3MB

Download
memory/2976-177-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

Filesize
1.3MB

Download
memory/2976-4532-0x000001EABA7C0000-0x000001EABA7D0000-memory.dmp

Filesize
64KB

Download
memory/2976-152-0x000001EAA0040000-0x000001EAA02E0000-memory.dmp

Filesize
2.6MB

Download
memory/2976-262-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

Filesize
1.3MB

Download
memory/2976-260-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

Filesize
1.3MB

Download
memory/2976-4527-0x000001EABAB00000-0x000001EABABB0000-memory.dmp

Filesize
704KB

Download
memory/2976-158-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

Filesize
1.3MB

Download
memory/2976-217-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

Filesize
1.3MB

Download
memory/2976-256-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

Filesize
1.3MB

Download
memory/2976-254-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

Filesize
1.3MB

Download
memory/2976-160-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

Filesize
1.3MB

Download
memory/2976-252-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

Filesize
1.3MB

Download
memory/2976-237-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

Filesize
1.3MB

Download
memory/2976-250-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

Filesize
1.3MB

Download
memory/2976-3810-0x000001EAA1DF0000-0x000001EAA1DF1000-memory.dmp

Filesize
4KB

Download
memory/2976-3809-0x000001EABA7C0000-0x000001EABA7D0000-memory.dmp

Filesize
64KB

Download
memory/2976-162-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

Filesize
1.3MB

Download
memory/2976-233-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

Filesize
1.3MB

Download
memory/2976-230-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

Filesize
1.3MB

Download
memory/2976-164-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

Filesize
1.3MB

Download
memory/2976-169-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

Filesize
1.3MB

Download
memory/2976-174-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

Filesize
1.3MB

Download
memory/2976-211-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

Filesize
1.3MB

Download
memory/2976-206-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

Filesize
1.3MB

Download
memory/2976-179-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

Filesize
1.3MB

Download
memory/2976-185-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

Filesize
1.3MB

Download
memory/2976-188-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

Filesize
1.3MB

Download
memory/2976-199-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

Filesize
1.3MB

Download
memory/2976-190-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

Filesize
1.3MB

Download
memory/2976-196-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

Filesize
1.3MB

Download
memory/2976-192-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

Filesize
1.3MB

Download
memory/2992-1542-0x00000000005D0000-0x00000000005F7000-memory.dmp

Filesize
156KB

Download
memory/2992-1560-0x00000000005D0000-0x00000000005D9000-memory.dmp

Filesize
36KB

Download
memory/3184-183-0x0000000000B60000-0x0000000000B6F000-memory.dmp

Filesize
60KB

Download
memory/3200-137-0x00000000012A0000-0x00000000012B6000-memory.dmp

Filesize
88KB

Download
memory/3532-527-0x00000000005D0000-0x00000000005D9000-memory.dmp

Filesize
36KB

Download
memory/3532-513-0x00000000005E0000-0x00000000005E5000-memory.dmp

Filesize
20KB

Download
memory/3532-3677-0x00000000005E0000-0x00000000005E5000-memory.dmp

Filesize
20KB

Download
memory/3692-1209-0x00000000005D0000-0x00000000005D9000-memory.dmp

Filesize
36KB

Download
memory/3692-4518-0x00000000005D0000-0x00000000005D9000-memory.dmp

Filesize
36KB

Download
memory/3692-1220-0x00000000009A0000-0x00000000009A9000-memory.dmp

Filesize
36KB

Download
memory/3708-859-0x0000000000B90000-0x0000000000B9C000-memory.dmp

Filesize
48KB

Download
memory/3708-861-0x00000000005D0000-0x00000000005D9000-memory.dmp

Filesize
36KB

Download
memory/3816-138-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3816-136-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3816-134-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4276-3158-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/4276-350-0x0000000000BA0000-0x0000000000BAF000-memory.dmp

Filesize
60KB

Download
memory/4276-348-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/4492-2082-0x0000000000D80000-0x0000000000D8D000-memory.dmp

Filesize
52KB

Download
memory/4504-212-0x0000000000EB0000-0x0000000000EBC000-memory.dmp

Filesize
48KB

Download
memory/4504-203-0x0000000000EB0000-0x0000000000EBC000-memory.dmp

Filesize
48KB

Download
memory/5088-236-0x00000000005D0000-0x00000000005D9000-memory.dmp

Filesize
36KB

Download
memory/5088-2509-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/5088-263-0x00000000005D0000-0x00000000005D9000-memory.dmp

Filesize
36KB

Download